What Is the Purpose of a Privacy Impact Assessment?
A privacy impact assessment (PIA) helps identify and mitigate the risks of using personal data. Privacy impact assessments are vital for businesses to reduce risk and are crucial for individuals’ privacy and data rights.
But conducting a privacy impact assessment can be a complex exercise. It’s not always clear whether you need to do a privacy impact assessment—or what the scope of the assessment should be.
This article will look at the benefits of privacy impact assessments, consider when you should conduct one, and explore some common privacy impact assessment pitfalls.
Why Are Privacy Impact Assessments Important?
Privacy impact assessments are important to help manage risks—both to organisations and individuals.
As technology advances and companies use more and more personal data, new and unforeseen hazards emerge. A privacy impact assessment is a way to reduce or eliminate the possibility of causing harm.
Privacy impact assessments don’t necessarily stop you from using personal data to meet your goals. The process can support your objectives by helping you keep data safe and respect people’s rights.
What Are the Benefits of a Privacy Impact Assessment?
A privacy impact assessment can sometimes be time-consuming and complicated. But the process will almost certainly be worthwhile.
There are many benefits to carrying out a privacy impact assessment. For example:
- To help you comply with relevant privacy and data protection laws.
- To help reduce the likelihood of a data breach or another privacy issue.
- To check whether there are safer or better ways to use people’s personal data.
- To demonstrate to regulators and customers that you take people’s privacy seriously.
A privacy impact assessment can help you:
- Reveal risks that you might not have considered.
- Figure out how to mitigate or eliminate those risks.
A privacy impact assessment might reveal that your proposed project would be illegal or too risky. It’s obviously better to know this from the outset so you can call the project off.
We’ll look at some examples of where companies have failed in their privacy impact assessment obligations below. But first, a positive story.
A university was investigated by the Danish data protection regulator following a complaint about its online testing process.
But because the university had conducted and followed a good-quality privacy impact assessment, the regulator rejected the complaint.
This is a great example of how taking privacy seriously can help reduce risk.
Do I Need to Conduct a Privacy Impact Assessment?
We’ve looked at why doing a privacy impact assessment can benefit your organisation. But you might also need to conduct a privacy impact assessment by law.
General Data Protection Regulation (GDPR)
Under the EU and UK General Data Protection Regulation (GDPR), you must carry out a “data protection impact assessment” (DPIA) before processing personal data in a way that is “likely to result in a high risk” to individuals.
According to guidance from the European Data Protection Board (EDPB), examples of high-risk activities include:
- Evaluation or scoring.
- Automated decision-making with legal or similarly significant effects.
- Systematic monitoring.
- Processing sensitive data of a highly personal nature.
- Processing data on a large scale.
- Matching or combining datasets.
- Processing data about vulnerable people, including children.
- Using new technologies or using existing technology in an innovative way.
- Preventing people from exercising their rights or accessing a service.
Note: Under the GDPR, “processing” personal data means doing virtually anything with it, including collecting it, storing it, sharing it, or deleting it.
If you’re planning a project that involves one or more of these activities, you might need to conduct a DPIA.
Here are some examples:
- Monitoring employee productivity (could involve activities 1, 3, and 7, above).
- Collecting social media data to create profiles of potential customers (1, 4, 5, and 6).
- Screening people for suspected fraud (1, 4, 6, 9).
Using AI might also require you to conduct a DPIA. The information used to train AI typically includes a lot of personal data. And AI can produce biased or discriminatory effects.
There are countless more possible examples. Additionally, each of Europe’s data protection regulators has published a list of activities that always require a DPIA.
If you’re not sure whether you need to do a DPIA, you may need to take advice. We’ll consider when this might be appropriate later in the article.
Outside of Europe
More and more countries are recognising the importance of privacy impact assessments, and the process is likely to see even more widespread adoption from 2023 onwards.
For example, two new US state laws require organisations to conduct a type of privacy impact assessment (known as a “data protection assessment”) under certain conditions.
Under Virginia and Connecticut’s new privacy laws, covered organisations must undertake an assessment before using personal data in a way that presents a “heightened risk of harm to consumers”, including:
- Selling personal data.
- Conducting targeted advertising.
- Doing certain types of “profiling”.
- Using sensitive personal data.
Further draft laws contain a similar requirement in various other US states, including:
- New York
- Massachusetts
- Indiana
Privacy impact assessments are also mandatory in many other countries, including:
- China
- Brazil
- Dubai International Financial Centre
In other places, such as Singapore, New Zealand, and Australia, regulators strongly encourage organisations to conduct privacy impact assessments where appropriate.
But whether it’s legally required or not, you should always consider doing a privacy impact assessment if you are concerned or unsure about the risks involved in a proposed project.
Common Privacy Impact Assessment Pitfalls
Let’s look at some common privacy impact assessment pitfalls, together with some real-world examples of where organisations have gone wrong.
Assuming No Privacy Impact Assessment Is Required
Perhaps the most common mistake is assuming you don’t need to do a privacy impact assessment.
The process of figuring out whether you need to do a privacy impact assessment is sometimes called a “threshold assessment”. Some companies fail to do this threshold assessment because they assume their activities are not risky or do not involve personal data.
Here’s one of many real examples.
The Interactive Advertising Bureau Europe (IAB Europe) sets standards for targeted advertising across thousands of companies. The IAB Europe did not believe it was responsible for assessing the risks of targeted advertising.
However, following a complaint, the Belgian regulator found that the IAB Europe was processing personal data on a massive scale and, among other things, should have conducted a privacy impact assessment.
The IAB Europe received a fine and was forced to totally redesign its processes. Conducting a privacy impact assessment at the outset might have prevented this.
Drawing the Wrong Conclusions From a Threshold Assessment
Conducting a “threshold assessment” to decide whether to do a privacy impact assessment is important. We’ve seen how some organisations fail to take this first step. But other companies do a threshold assessment and simply draw the wrong conclusions.
In Spain, an employer introduced a fingerprint scanner to track employee access to facilities. After the union complained, the Spanish regulator investigated.
The company had done a threshold assessment to check whether a full privacy impact assessment was required. But the company decided that it did not need to do a privacy impact assessment, even though it was planning to process biometric data about its employees.
The Spanish regulator fined the company €20,000—not because the fingerprint scanning was necessarily illegal, but because the company had failed to conduct a privacy impact assessment.
Not Conducting a Full Assessment
A PIA is supposed to cover all aspects of data processing for a project. But some organisations miss crucial details and compromise people’s privacy as a result.
The French Ministry of Health conducted a privacy impact assessment before rolling out its StopCovid contact-tracing app. The assessment identified some of the risks associated with this project.
But the assessment missed one thing—the app used Google’s reCAPTCHA bot-catching tool, which collects information about people’s devices. This information is personal data in certain contexts.
The French regulator found that the ministry’s assessment did “not fully meet the requirements” of the GDPR, and ordered the organisation to take corrective actions within one month.
Not Seeking Advice
If you have a data protection officer (DPO), the GDPR says that you must involve them in your privacy impact assessment.
Failing to involve a DPO in the privacy impact assessment was part of the reason that the Belgian tax authority received a €3.7 million fine. The same problem contributed to a €4.3 million fine against the Portuguese statistics agency.
Potential fines aside, having an expert’s view on the risks of your project can be crucial. An internal or external DPO can help ensure you need to carry out a privacy impact assessment, identify all relevant risks, and advise on any mitigations you can put in place.
Only someone with an in-depth understanding of data protection law can truly see how your systems might produce privacy harms—and whether there’s a better, safer way of meeting your objectives.
If you have a DPO, you’re legally required to consult them about your privacy impact assessment. If you don’t have a DPO, consider taking expert advice from a data protection consulting service.