Appropriateness of undertaking the Privacy Impact Assessment

Written on 3 Mar 2015

The Privacy Impact Assessment is regarded as a useful and suitable tool to analyse the processing of personal data from the early stage of a product or service.

It is a fact that the constant evolution of the information technologies, such as the “Internet of Things” or “Big data”, allows enterprises to process a great deal of information, with all the implications in terms of privacy and data protection that this entails for individuals. In this context and closely related to the principle of privacy by design, a new concept, the privacy impact assessment (the “PIA“), has emerged. While this practice is new in our country, it has a long history in Anglo-Saxon countries.

The PIA is a proactive measure designed to identify the risks arising from an information system, product or service when processing personal data, and, as a result of such analysis, adopt the necessary corrective measures to eliminate the risk identified. The PIA is conceived as a tool which provides confidence and security to users when carrying out a project involving the processing of personal data because it is conducted prior to the implementation of a product or service and, therefore, allows users to have a complete top down view of the consequences that might arise from data processing.

The PIA is not mandatory in our country but it is advisable that businesses involved in the processing of personal data conduct it, as it is recommended in the guide published by the Spanish Data Protection Agency (“AEPD“). However, the voluntary nature of such practice may become mandatory when the future European Regulation on Data Protection enters into force.

The recitals of the European Regulation on Data Protection reflect the importance that the European legislator gives to the PIA as it is seen as the core of any data protection framework. Indeed, this practice seeks, for the first time, to implement a measure designed not to compensate damage, but to prevent or minimize it, since the underlying principle of the PIA is to cover all aspects of the risk management process throughout the entire lifecycle of personal data from collection to processing to deletion.

In order to set out a framework for the future European Regulation on Data Protection, the AEPD published in October a guide on privacy impact assessment (La Guía para una Evaluación de Impacto en la Protección de Datos Personales). It is established from the outset that the PIA goes beyond the compliance with data protection regulations. It provides a list of examples for which an analysis would need to be conducted and gives guidance on how the risks identified in such analysis should be addressed. Aside from the structure to carry out the PIA proposed by the AEPD, companies should be aware before conducting it that it is convenient to identify which personal data will be processed, who will have access to such data and how such data is going to be handled. The PÎA needs to be designed so that it can be systematically reproduced and all the actors involved, whether internal or external, must take part in said assessment.

In conclusion, companies should consider the PIA as an investment for the future. The PIA helps reduce costs, given that it is not the same to make changes to a design as it is to make changes to a project already launched. Furthermore, it provides added value to the business model because the company is seen as an enterprise that adheres to data protection regulations and respects the privacy of individuals.