In my last article, we introduced SAS® Personal Data Compliance Manager and how the solution allows you to record processing activities for complying with GDPR Article 30. However, in certain situations these processing activities could require a Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment (PIA).

Legal background

A DPIA or PIA is one of the specific processes required by the GDPR. Impact assessments are not new, as similar risk assessments are also required by ISO/IEC 27001. DPIAs aim at identifying the risks related to the use of personal data within one or several processing activities by evaluating them versus the GDPR principles mentioned above. For each risk, identified safeguards and security measures must be defined. GDPR Article 35 defines three conditions for which a DPIA must be conducted:

• When evaluating a natural person using automated processing (including profiling) to make decisions or have legal impacts on the subject. The use of new technologies – e.g., big data or AI – on personal data is typically that situation.
• When processing large quantities of special categories of data, or personal data relating to criminal convictions and offences.
• When systematically monitoring a publicly accessible area on a large scale, e.g., CCTV.

According to the UK Information Commissioner, a DPIA should contain:

• A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
• An assessment of the necessity and proportionality of the processing in relation to the purpose.
• An assessment of the risks to individuals.
• The measures in place to address risk, including security, and to demonstrate that you comply.

Assessing data protection risk with SAS® Personal Data Compliance Manager

Within SAS Personal Data Compliance Manager, one DPIA pre-assessment is required over each processing activity. This pre-assessment is key as the absence of DPIA would have to be justified to the supervisory authority in case of an audit.

Information collection has been structured through three tabs and is workflow driven. The Details tab in the picture below provides a view of the processing activities involved in the DPIA, as well as an overview of the Privacy Risk  Assessment. Depending on the risk severity of the assessment, regular reviews will be required. SAS Personal Data Compliance Manager also supports the ability to define and schedule notifications for ensuring such review.

SAS® Personal Data Compliance Manager – DPIA definition

The Data Protection Assessment tab conducts the DPIA through a series of questions covering topics such as collection, use, retention, sharing and transfer, access and security, and data privacy assessment. Relying on the answers provided, the risk (inherent and residual) will be calculated by SAS Personal Data Compliance Manager. Documentation can be attached to the DPIA.

SAS® Personal Data Compliance Manager – DPIA

In the following articles, we will take a closer look at personal data mapping, which allows you to identify and categorize personal data across systems, as well as to build a consistent view of all your data assets and processing activities.

SAS conducted a global survey among 183 cross-industry businesspeople involved with GDPR. Based on the results, this e-book delves into the biggest opportunities and challenges faced.