PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0 - - PowerPoint PPT Presentation

▶

May 26, 2023 23 likes •106 views

PIA is a Process Designing for Privacy Leonardo H. Iwaya CC-BY-4.0 What is Data Protection Impact Assesment? Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and

SLIDE 1

CC-BY-4.0

PIA is a Process

Designing for Privacy Leonardo H. Iwaya

SLIDE 2

What is Data Protection Impact Assesment?

”Where a type of processing in

particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms

f natural persons, the controller

shall, prior to the processing, carry

ut an assessment of the impact of

the envisaged processing

perations on the protection of

personal data.” – Art. 35 GDPR.

SLIDE 3

What is Privacy Impact Assesment?

”A privacy impact assessment (PIA)

is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII) and, in consultation with stakeholders, for taking actions as necessarily in

rder to treat privacy risk.”

– ISO/IEC 29134:2017.

SLIDE 4

Who benefits from PIAs?

They do:

Your customers and general public –

because you are looking out for their privacy interests

Your organisation – because you

demonstrate to your employees and contractors that you take privacy seriously and expect them to the same

The regulators – because when you carry
ut a proper PIA you clarify your project

information dealings, making their work easier

SLIDE 5

Who benefits from PIAs?

Not sure yet?

A PIA helps to reduce costs in management

time, legal expenses and potential negative media (i.e., PR also likes it)

A PIA helps to demonstrate compliance as

an element of accountability

A PIA enhances informed decision-making

and exposes internal communication gaps or hidden assumptions

A PIA helps to avoid privacy pitfalls of a

project

And, well... it might be mandatory...

SLIDE 6

How do you do PIA?

”[PIA] is a process which should

begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project. It is a process that should continue until and even after the project has been deployed.” – David Wright

The state of art in PIA (2012)

SLIDE 7

How do you do PIA?

“While each project is different, a PIA should generally include the following steps:” – OIC Queensland

Overview of the Privacy Impact Assessment process (2017)

1. Conduct a threshold

assessment Work out the extent to which the project will benefit from a PIA. Generally, if personal information is involved in the project, a PIA will be necessary.

2. Plan the PIA

Consider how detailed the PIA will be, who will conduct it, who needs to be consulted, when it needs to be delivered, and whether the PIA Report will be published and if so, in what format.

3. Describe the project

Prepare a ‘big picture’ description

f what the project will deliver

and what it will achieve, why it is needed, timeframes, and any links to existing projects. This will provide context for the PIA process.

4. Identify and consult with

stakeholders Identify who has an interest in or is affected by the project, the level of consultation warranted by the project and how the consultation will be conducted.

5. Map the personal

information flow Describe how personal information will be collected, stored, used and disclosed in the project from beginning to end.

6. Identify the privacy issues

Compare the project’s personal information handling practices against the privacy obligations set out in the [GDPR] to identify any privacy issues.

7. Identify options to address

the privacy issues Consider what options will address the privacy issues. If there are multiple options, evaluate the cost, risk and benefit of each option to identify the most appropriate option.

8. Prepare the PIA Report

Provide a report that sets out the information gathered throughout the PIA and its findings to the relevant governance body for approval.

9. Action the agency's

response to the PIA Report Incorporate the tasks necessary to action the agency's response to the PIA Report into the wider project management process.

SLIDE 8

References

EU GDPR, 2017. Article 35 EU GDPR ”Data

protection impact assessment”.

(http://www.privacy-regulation.eu/en/35.htm)

ISO/IEC 29134, 2017. Information technology

– Security techniques – Guidelines for privacy impact assessment.

(https://www.iso.org/standard/62289.html)

Wright, D., 2012. The state of the art in

privacy impact assessment. Computer Law & Security Review, 28(1), pp.54-61.

Clarke, R., 2009. Privacy impact assessment:

Its origins and development. Computer law & security review, 25(2), pp.123-135.

OIC, 2017. Overview of the Privacy Impact

Assessment (PIA) process.

(https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy- principles/privacy-compliance/overview-privacy-impact-assessment-process)

Icons and Images Graphiqa Stock (https://www.iconfinder.com/graphiqa) Vectto (https://www.iconfinder.com/vectto) Alla Afanasenko (https://www.iconfinder.com/alla.afanasenko)