Organizations that fall under the EU’s GDPR may be required to perform DPIA. Learn more about the requirement and differences between PIA and DPIA.
Many specialists believe that the EU’s General Data Protection Regulation (GDPR)’s requirement to conduct data protection impact assessment has made a real breakthrough in how organizations handle personal data. It’s not exactly that the GDPR establishes the impact assessment procedure, more as it replaces an existing Privacy Impact Assessment (PIA) with Data Protection Impact Assessment (DPIA). There is a difference between these two assessments and how they approach the protection of individuals’ fundamental rights. If many organizations are more or less familiar with PIA, the DPIA was an unchartered territory until recent times. Thus, the main aim of this article is to compare PIA and DPIA and highlight their impact assessment requirements.
PIA, as same as DPIA, has a historical basis and best practice guidance in the European Union’s legal framework. The U.S. law enshrined PIA via the E-Government Act of 2002. Section 208 of the Act required federal agencies to conduct PIAs when “developing systems involving the collection, maintenance, or dissemination of information… that makes substantial changes to existing systems.” The common PIA guidelines are officially established by the Department of Homeland Security (DHS), Federal Trade Commission, and Office for Information Technology. Although the E-Governance Act only applies to U.S. federal agencies, many private sector organizations have adopted the PIA processes as an effective tool to reduce data privacy risks.
To promote PIAs among the private sector entities, the International Organization for Standardization (ISO) published an ISO/IEC 20134:2017 in 2017. The standard provided guidelines for the process of PIA’s conducting and reporting.
In 2018, the GDPR upended the traditional understanding of the PIA by suggesting DPIA – Data Protection Impact Assessment. The legislation mandated covered businesses to conduct DPIAs for data processing activities that involve a high risk to personal data.
Privacy Impact Assessment (PIA) refers to identifying what and why personally identifiable information (PII) has been collected and identifying risks and potential effects of how organizations collect, maintain, and share personally identifiable information.
In this way, PIA helps to realize how the organization will handle information in new or altering circumstances. PIA also helps to ensure that all personal data behaviors comply with legal privacy requirements. Finally, it evaluates any risks associated with data handling and helps to identify the necessary measures to mitigate these potential privacy risks.
Data Protection Impact Assessment (DPIA) is used for identifying and minimizing risks associated with the processing of personal data. In the context of GDPR, DPIA helps an organization assess the data-related risks that could compromise the rights and freedoms of the data subjects.
The main aim of DPIA is to provide clear, documented evidence that an entity has evaluated the risks of certain data processing activities and demonstrate that the organization mitigated these risks
All in all, both PIA and DPIA allow organizations to identify processes and measures needed to address and reduce risks to PII. However, they differ in their assessment goals.
PIAs mainly focus on general data privacy risks associated with projects, products, or services. In addition, most PIA guidelines do not require private organizations to report their findings. In contrast, DPIAs are more focused on the data subjects and the impact the processing operation may have on them. Furthermore, Article 35 of the GDPR requires covered organizations to report their DPIA findings, including certain data behavior that may result in a high risk to data subjects.
PIAs aim to assess the compliance controls, associated technical requirements and identify risks associated with those. Hence, assessing the availability of the necessary technical requirements helps organizations to determine the level of compliance with applicable laws, regulations, and industry standards. Thus, PIAs help identify potential areas of non-compliance and provide mechanisms to mitigate those issues. The mitigation may include updating privacy notices, honoring opt-outs, or having an incident response plan in place.
In contrast, DPIAs extend beyond assessing compliance with technical requirements. They evaluate the inherent privacy risks and determine the sufficiency of the risk mitigation controls. DPIA enables organizations to examine whether the processing of data will create value for society and individuals.
Organizations use PIAs to mitigate organizational privacy risks in the early stages of a new project cycle, such as implementing a new business process, products, processes, systems, etc. However, PIAs can also be conducted on the existing processes, products, and systems on their altering stage. For instance, organizations may conduct PIAs when they expand their operations to a new country.
According to the E-Government Act of 2002, the reasons to conduct PIAs may include:
Unlike PIA, DPIA is conducted any time an entity’s data behavior is likely to involve “a high risk” to other people’s personal information. Article 35 of the GDPR states that: Where a type of processing, in particular, using new technologies…. is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall… assess the impact of the envisaged processing operations on the personal data protection.
The GDPR does not specify the types of processing that could result in risk; however, EU Member States have published their guidelines around when DPIAs are necessary. Some examples include:
In addition to the abovementioned, the organization must conduct DPIA if the data processed could result in physical harm to the data subjects in case of leaking.
While there are no concrete requirements for how the organizations should conduct a PIA and DPIA, there are several components that should be included.
As such, PIA, at a minimum, should analyze and describe:
The DPIA’s assessment components also include four main elements. The main difference is that these components demonstrate the DPIA’s focus on data subjects and also have its conducting requirements. As stated in Article 35 of the GDPR, DPIAs must contain the following elements:
PIA and DPIA are the tools to identify the controls needed to address and reduce the risk related to PII. Although there are no official legal obligations to implement PIA practices in the private sector, many businesses still conduct PIA before beginning any new data processing activities. At the same time, organizations should be ready to shift their focus from the general data privacy risks associated with projects, products, or services to the data subjects and the impact the processing operation may have on them.