PIA vs. DPIA: the Purpose and Requirements

Organizations that fall under the EU’s GDPR may be required to perform DPIA. Learn more about the requirement and differences between PIA and DPIA. 

Many specialists believe that the EU’s General Data Protection Regulation (GDPR)’s requirement to conduct data protection impact assessment has made a real breakthrough in how organizations handle personal data. It’s not exactly that the GDPR establishes the impact assessment procedure, more as it replaces an existing Privacy Impact Assessment (PIA) with Data Protection Impact Assessment (DPIA). There is a difference between these two assessments and how they approach the protection of individuals’ fundamental rights. If many organizations are more or less familiar with PIA, the DPIA was an unchartered territory until recent times. Thus, the main aim of this article is to compare PIA and DPIA and highlight their impact assessment requirements.

General Approach to Impact Assessment

PIA, as same as DPIA, has a historical basis and best practice guidance in the European Union’s legal framework. The U.S. law enshrined PIA via the E-Government Act of 2002. Section 208 of the Act required federal agencies to conduct PIAs when “developing systems involving the collection, maintenance, or dissemination of information… that makes substantial changes to existing systems.” The common PIA guidelines are officially established by the Department of Homeland Security (DHS)Federal Trade Commission, and Office for Information Technology. Although the E-Governance Act only applies to U.S. federal agencies, many private sector organizations have adopted the PIA processes as an effective tool to reduce data privacy risks. 

To promote PIAs among the private sector entities, the International Organization for Standardization (ISO) published an ISO/IEC 20134:2017 in 2017. The standard provided guidelines for the process of PIA’s conducting and reporting. 

In 2018, the GDPR upended the traditional understanding of the PIA by suggesting DPIA – Data Protection Impact Assessment. The legislation mandated covered businesses to conduct DPIAs for data processing activities that involve a high risk to personal data.

Defining PIA and DPIA

Privacy Impact Assessment (PIA)

Privacy Impact Assessment (PIA) refers to identifying what and why personally identifiable information (PII) has been collected and identifying risks and potential effects of how organizations collect, maintain, and share personally identifiable information. 

In this way, PIA helps to realize how the organization will handle information in new or altering circumstances. PIA also helps to ensure that all personal data behaviors comply with legal privacy requirements. Finally, it evaluates any risks associated with data handling and helps to identify the necessary measures to mitigate these potential privacy risks.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) is used for identifying and minimizing risks associated with the processing of personal data. In the context of GDPR,  DPIA helps an organization assess the data-related risks that could compromise the rights and freedoms of the data subjects. 

The main aim of DPIA is to provide clear, documented evidence that an entity has evaluated the risks of certain data processing activities and demonstrate that the organization mitigated these  risks 

Comparing and Contrasting PIA and DPIA

All in all, both PIA and DPIA allow organizations to identify processes and measures needed to address and reduce risks to PII. However, they differ in their assessment goals. 

PIA vs.DPIA: Focus of Protection

PIAs mainly focus on general data privacy risks associated with projects, products, or services. In addition, most PIA guidelines do not require private organizations to report their findings. In contrast, DPIAs are more focused on the data subjects and the impact the processing operation may have on them. Furthermore, Article 35 of the GDPR requires covered organizations to report their DPIA findings, including certain data behavior that may result in a high risk to data subjects.

PIA vs.DPIA: Focus of Assessment 

PIAs aim to assess the compliance controls, associated technical requirements and identify risks associated with those. Hence, assessing the availability of the necessary technical requirements helps organizations to determine the level of compliance with applicable laws, regulations, and industry standards. Thus, PIAs help identify potential areas of non-compliance and provide mechanisms to mitigate those issues. The mitigation may include updating privacy notices, honoring opt-outs, or having an incident response plan in place.

In contrast, DPIAs extend beyond assessing compliance with technical requirements. They evaluate the inherent privacy risks and determine the sufficiency of the risk mitigation controls. DPIA enables organizations to examine whether the processing of data will create value for society and individuals.

PIA vs.DPIA: When to Use PIA

Organizations use PIAs to mitigate organizational privacy risks in the early stages of a new project cycle, such as implementing a new business process, products, processes, systems, etc.  However, PIAs can also be conducted on the existing processes, products, and systems on their altering stage. For instance, organizations may conduct PIAs when they expand their operations to a new country. 

According to the E-Government Act of 2002, the reasons to conduct PIAs may include:

  • collecting new personal information about data subjects;
  • converting information from anonymous to an identifiable format;
  • implementing new application users or technologies;
  • implementing user-authentication technology that involves personal data collection;
  • changes to business processes that affect existing data collection processes;
  • adding new types of personal data, etc.

PIA vs.DPIA: When to Use DPIA

Unlike PIA, DPIA is conducted any time an entity’s data behavior is likely to involve “a high risk” to other people’s personal information. Article 35 of the GDPR states that: Where a type of processing, in particular, using new technologies…. is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall… assess the impact of the envisaged processing operations on the personal data protection. 

The GDPR does not specify the types of processing that could result in risk; however, EU Member States have published their guidelines around when DPIAs are necessary. Some examples include: 

  • using new technologies associated with evaluation, scoring, profiling, automated decision making or other kinds of new technologies;
  • tracking people’s location or behavior;
  • processing that involves a large amount of data subjects;
  • processing specific personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”;
  • processing data of junior citizens or other vulnerable data subjects;

In addition to the abovementioned, the organization must conduct DPIA if the data processed could result in physical harm to the data subjects in case of leaking.

PIA vs.DPIA: Assessment Components

While there are no concrete requirements for how the organizations should conduct a PIA and DPIA, there are several components that should be included. 

As such, PIA, at a minimum, should analyze and describe:

  • nature, sources, and eligibility of information to be collected; 
  • the purpose for which personal data will be collected, used, and shared ; 
  • what opportunities individuals have to decline to provide information or to consent to particular uses of the information; and
  • how the information will be secured.

The DPIA’s assessment components also include four main elements. The main difference is that these components demonstrate the DPIA’s focus on data subjects and also have its conducting requirements. As stated in Article 35 of the GDPR,  DPIAs must contain the following elements:

  • systematic description of the envisaged processing operations and the purposes of the processing;
  • assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • assessment of the risks to the rights and freedoms of data subjects;
  • measures that are necessary to address the risks ( e.g.security mechanisms to ensure personal data protection and demonstrate GDPR compliance with the GDPR).

All in all…

PIA and DPIA are the tools to identify the controls needed to address and reduce the risk related to PII. Although there are no official legal obligations to implement PIA practices in the private sector, many businesses still conduct PIA before beginning any new data processing activities. At the same time, organizations should be ready to shift their focus from the general data privacy risks associated with projects, products, or services to the data subjects and the impact the processing operation may have on them.

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

Leave a Reply