Data Privacy 101: What is a Privacy Impact Assessment?
We live in an era where personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.
To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task.
The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about privacy impact assessments.
What is a Privacy Impact Assessment?
Ivy: A Privacy Impact Assessment (PIA) is a process for managing risks to data privacy caused by the processing of personal data. Undertaken primarily for programs, projects, and processes, it may also be performed on an entire organization or for a specific technology product.
It provides a systematic means of answering questions like: What personal data are you processing? How is it being processed? What are the existing measures for data protection? What aspects of processing can potentially cause harm to concerned individuals, the organization, or the public? How can the risks of harm be addressed?
A PIA requires an organization to evaluate its current operation to identify risks to data privacy and security, to evaluate the impact and likelihood of these risks, and to develop a plan for addressing them. It includes a review process that allows for continuity and sustainability.
Simply put, it is a means through which we anticipate and prepare for potential problems caused by personal data processing. This way, we ensure the realization of the latter’s benefits with minimal risk of harm to individuals.
What is a DPIA, and is it different from a PIA?
Jam: DPIA refers to the Data Protection Impact Assessment, which is featured in the European Union’s (EU) General Data Protection Regulation (GDPR). It is essentially the same as a PIA, except that there are differences in the way they are carried out.
For instance, a DPIA is mandatory in 3 instances:
- In automated processing involving a systematic and extensive evaluation of an individual’s personal aspects and which leads to decisions that significantly affect him or her
- In large scale processing of special categories of data, or personal data relating to criminal convictions and offenses
- In large scale systematic monitoring of public areas.
The GDPR also instructs each EU member country to publish a list data processing systems that must be subjected to a DPIA. A PIA, on the other hand, is not explicitly required by the DPA. The NPC requires it for government agencies, but it’s via the Commission’s Circular No. 16-01.
In the EU, failure to conduct a mandatory DPIA can lead to serious fines. A hefty €10 million fine is imposed on an entity that fails to carry it out on a particular processing. The same is true if DPIA is done improperly, or the entity fails to consult the data protection authority, if required by law. If it’s related to an undertaking, the fine could go up to 2% of the entity’s total global income for the previous financial year.
Contrast this with a failure to conduct a PIA, which is not punishable under any existing policy. Organizations are warned, though, that it may be a critical factor in an investigation or case where the NPC or the courts are trying to determine if they exercised due diligence in protecting personal data under their control or custody.
Why is it important to conduct a PIA?
Ivy: A PIA allows an organization to implement a risk-based approach to data protection. It tells an organization how it can start complying with the DPA and related regulations, by enabling it to prioritize high-risk processing activities and strategize for long-term compliance.
A PIA also demonstrates an organization’s commitment to comply with data protection laws, and shows that it admits to being accountable for all the personal data it processes. If the PIA is conducted for the entire organization, it will also facilitate and assist in meeting the registration requirements of the NPC, including the maintenance of records of the organization’s processing activities. Critical information necessary to improve existing policies and procedures, including privacy notices, will also be obtained.
Finally, a PIA drives data protection awareness throughout an entire organization by requiring stakeholder participation. Personnel gain a sense of ownership over the data protection measures implemented based on the results of the PIA, making them more likely to abide by such measures.
Is there an ideal or recommended method for carrying out a PIA?
Jam: For the moment at least, there isn’t a specific PIA methodology that is recommended or considered superior over others being endorsed by different organizations or service providers.
Sometimes, a data protection authority like France’s Commission Nationale de l'Informatique et des Libertés (CNIL) develops its own system and its constituency would, of course, do well to consider that for their own PIA process.
There are also standard-setting bodies like the ISO that have developed their own PIA approach (i.e., ISO/IEC 29134:2017). Naturally, those seeking to obtain certifications from these bodies would have to adopt their prescribed methodologies.
Still, none of these have led to a claim that one methodology works better or is more effective than the others. For the purpose of demonstrating diligence in developing its privacy management program, an organization is free to develop its own PIA method. In many cases, an organization borrows aspects from different sources in order to arrive at a unique process that caters to its concerns and needs.
Ivy: The NPC does not prescribe a particular method for carrying out a PIA, provided it accomplishes the purpose of risk assessment. Organizations can look to NPC Advisory 2017-003 (“Guidelines on Privacy Impact Assessments”) which suggests the following considerations when determining the appropriate PIA methodology to adopt:
- It should provide a data inventory, a description of the data flow and processing activities of the organization, as well as existing security measures for data protection.
- It should include an assessment of the organization’s adherence to the data privacy principles and implementation of security measures, including mechanisms allowing people (i.e., data subjects) to exercise their rights over their data.
- It should identify and evaluate natural and man-made risks posed by a data processing system to the rights and freedoms of affected individuals. Then, it should propose measures that address and manage these risks.
- It should be an inclusive process, in that it involves all concerned parties and obtains inputs from the Data Protection Officer and data subjects.
What are some of the issues or challenges encountered when conducting a PIA?
Ivy: The primary challenge is understanding what the PIA is about. This may be overwhelming for some organizations if they do not understand its purpose, and how important it is in the compliance journey.
While the PIA is not a simple process, it is also not so complicated that it cannot be undertaken by an organization that has limited resources. There is a need to increase awareness and develop new strategies to capacitate organizations in this regard. The goal is to make PIA a regular activity and an integral component of organizational strategies. Many of the common challenges in its actual conduct can be addressed by good planning and management support.
Jam: There are plenty. But let me focus on a few recurring ones:
- Lack of understanding and appreciation of the value of a PIA. It’s difficult to carry out when company personnel whose inputs and involvement are crucial to a PIA view it merely as an additional burden, do not consider it a priority, or are simply not interested in its merits. It’s worse if management is of the same mindset.
- Poor or complete lack of documentation. Many companies actually do not have proper documentation of their operations and processes. Without it, carrying out a PIA becomes much more difficult, since the base information needed for the entire PIA process is lacking.
- Confusing organizational structures. Also key in a PIA is identifying the Process Owners or that office or unit responsible for a specific process, program, or project. In many cases, a company does not follow its organizational structure. This makes it confusing, even for its own personnel, when determining whose responsibility it is to manage a particular data processing system, including the conduct of a PIA thereon.
How often should one conduct a PIA?
Jam: There are 6 instances when a PIA is recommended:
- when it has never been conducted by an organization for any of its data processing systems
- when there is a new data processing system
- when substantial changes are introduced to an existing data processing system
- when there are significant external developments that could potentially impact an existing data processing system
- when an existing data processing system is involved in a major data breach, or recurring security incidents
- when it is according to a pre-determined schedule
In the case of the last item, an organization can rely on any number of factors (e.g., available resources, potential disruption to operations, complexity of PIA method, degree of risk appetite, etc.) when determining its preferred schedule. – Rappler.com
More on Data Privacy:
Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011.
Statements of the individuals here are not official positions of their respective affiliations.