If your company processes personal or sensitive personal data from your customers or personnel (or anybody, for that matter), then you need to prevent this data from being misused. To make this process as systematic as possible, privacy professionals conduct privacy risk assessments.
Of these assessments, two of the most widely used ‘flavors’ are Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA).
So, what are the differences and similarities between the PIA vs DPIA?
Are PIA and DPIA the Same?
In principle, a PIA and DPIA are similar in terms of how they approach privacy issues. There are overarching, universal principles and themes concerning the collection, use and disclosure of personal data. However, the particulars of each assessment will vary based on applicable laws, industry sector, business model, the nature of the processing activity being assessed, and any other bespoke factors.
Overarchingly, the goal of any kind of privacy assessment is to understand the requirements, tradeoffs and potential harms of processing personal data, particularly if the activity carries an intrinsic potential for harm or consequences that outweigh its benefits. For instance, using cameras with facial recognition technology in the vicinity of a women’s health clinic.
Privacy frameworks like the European Union’s (EU) and the United Kingdom’s General Data Protection Regulation (GDPR) require organizations to conduct DPIAs when data processing activities present significant risks to the rights and freedoms of the data subject.
In contrast, a PIA is a more general term-of-art, and in the US arises from the kinds of formal assessments federal agencies must conduct per the E-Government Act of 2002.
When comparing PIA and DPIA, it helps to review their scope and application particularly in the United States.
What is a PIA Used For?
Broadly speaking, a PIA is a privacy-compliance assessment often used to identify privacy requirements for a new product, project or activity. And, any changes to a company’s privacy practices, policies or promises.
Let’s explore some use cases of a PIA within the United States.
How is a PIA Used in the US?
If you’re wondering about PIAs in the context of the U.S. look no further than the way they’ve been used by federal agencies. For instance the Federal Trade Commission and Department of Health and Human Services. Both can provide a starting point of common areas included in PIAs (which can of course vary by industry and geography). Per the Federal Trade Commission (FTC), a PIA assesses how an organization handles data that is collected, used, shared, or maintained. Using a privacy impact assessment, the FTC demonstrates compliance with privacy safeguards, including how it mitigates privacy risks to any personal data it processes.
Similarly, the Department of Homeland Security (DHS) uses a PIA or privacy impact assessment to make decisions about identifying and mitigating data privacy risks by evaluating:
- What information is collected
- Why information is collected
- How information is processed
Per the DHS, a PIA is required when:
- Complying with data privacy requirements
- Identifying the risks of data processing activities
- Evaluating safeguards to address privacy risks
Public sector companies and companies in highly regulated industry sectors like banking, finance and credit lending also conduct such assessments. In truth, many U.S. organization that processes personal information are wise to undertake PIAs as a matter of good practice.
What is a DPIA under the EU GDPR?
The European Union’s General Data Protection Regulation (GDPR) is a landmark privacy and data protection law with global reach. Its requirements apply to any organization that processes the personal data of EU residents regardless of location. This means that companies that are operating outside the EU still must comply with the GDPR, granted that they want access to this market.
Under the GDPR, a DPIA is A Data Protection Impact Assessment (DPIA) is a formalized process used to evaluate the potential risks and impact of a product, project or activity on individuals’ personal data and privacy rights. A DPIA is expected for activities that are likely to result in a high risk.
When Should Companies Use a GDPR DPIA?
Determining whether an activity is likely to result in a high risk will ultimately depend on the nature of a Europe-facing processing activity.
Article 35 of the GDPR sets out 3 types of processing that always require a DPIA:
- Detailed evaluation of personal information using technology and profiling that has legal consequences or significant impact on individuals.
- Extensive use of sensitive personal information or information on criminal records on a large scale.
- Monitoring of a public area on a large scale, including across website and online services.
Data protection authorities further clarify this criteria with the 10 factors below:
- Profiling of individuals using personal data
- Automated decision-making processes that may impact data subjects
- Systematic monitoring of individuals in public spaces
- Large-scale processing of data
- Processing special categories of GDPR personal data
- Merging data collected via various processes
- Collecting data belonging to persons who are incapacitated
- Using new technologies to process data
- Transferring data to countries outside the EU/EEC
- Limiting the rights of data subjects when processing data
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other items, or any of the criteria described by the European Data Protection Board in its Guidelines.
What Do Companies Need to Conduct a PIA or DPIA?
Overarchingly, a PIA/DPIA follow these contours:
- Fact finding
- Consulting with internal stakeholders and experts
- Reviewing applicable legal & regulatory requirements
- Assessing whether the activity is lawful, transparent, necessary and proportional
- Identifying and classifying observed gaps and issues by their impact
- Consulting with external experts including regulatory authorities, as needed
- Proposing technical, contractual and/or organizational measures to mitigate risk
- Obtaining necessary sign-offs on outcomes and mitigation plans
- Putting the mitigation plan into action
- Setting a timeframe for revisiting the PIA/DPIA, including when the use case changes
These are meant as a general guidelines to help organizations conduct assessments, and organizations are encouraged to be agile with their PIA/DPIA efforts.
How to Prepare for a PIA
Facts and context matter. Preparation for a privacy impact assessment hinges on collecting as much information as possible about the processing activity.
For example, when conducting a PIA in line with the E-Government Act of 2002, the U.S. Securities and Exchange Commission documents the following:
- Types of personal data currently processed
- Purposes for which they collect the personal data
- Practices used to share personal data internally or externally
- Notices issued to individuals for them to consent or decline the collection of their data
- Controls currently in use to safeguard access to data environments
No single individual has all the answers. The drive of your assessment will help inform who should be involved in the fact gathering process, and to what degree. For example, if your goal is to help Marketing dial in their use of a sophisticated marketing technology platform, a marketing manager will have the most insight about the business goals or challenges such a platform will solve for.
How to Prepare for a DPIA
GDPR-covered organizations must do the same. Fact-finding is universal but the specific facts and circumstances will vary from organization to organization.
When preparing for a GDPR DPIA, you will need to:
- Describe the processing activities and the purposes thereof, including the legitimate interests of another controller, should one be involved.
- Evaluate the need to proceed with data processing activities based on the purposes described.
- Identify privacy risks to the rights and freedoms of data subjects.
- Outline the safeguards implemented to manage data privacy risks when processing high-risk GDPR data.
- Present evidence of GDPR compliance, and its protections of the rights and interests of data subjects.
The DPIA information-gathering process will follow the same general patterns as a PIA:
- Project proposals or briefs that provide critical business level context
- Types of individuals concerned (e.g. customers vs employees)
- Types of personal data involved (e.g. contact information, demographics, online behaviors, etc)
- Presence of any sensitive data (e.g., precise location)
- Sources of the data (e.g., account creation process, tracking cookies)
- The scale of the processing activity (e.g. local vs international)
- The involvement of any other parties (e.g. vendors, business partners, other lines of business, etc)
- What privacy policies say or what promises are being made that may affect the activity
- What contracts say about the activity
- What existing technical or organizational measures cover
Developing Your Privacy Foundation
Whether you’re required to comply with the GDPR, the CPRA or other privacy frameworks, a strong privacy foundation starts with gaining greater visibility into your data practices. Beyond the challenges of conducting privacy assessments, you may also be wondering how to integrate these assessments into your privacy program.
That’s where DataGrail can support your company’s mission.
Integrated Privacy Risk Management with DataGrail
Building a robust data privacy program starts with implementing methodologies to address privacy risks across your entire IT infrastructure. If your organization processes personal data (PD/PI/PII), conducting PIAs or DPIAs as needed is a critical part of any privacy management program.
Today’s high-impact data privacy risks are best managed with all-in-one solutions that offer automated data integration, compliance management, and risk monitoring. As your privacy partner, we’ll help you set the foundation for long-term data privacy and security, helping you remain compliant with the GDPR and the CCPA/CPRA.
Request a demo of our data privacy platform today.
Department of Homeland Security. Privacy Impact Assessments. https://www.dhs.gov/privacy-impact-assessments
EU GDPR. Data Protection Impact Assessment (DPIA). https://gdpr.eu/data-protection-impact-assessment-template/
EU GDPR. Privacy Impact Assessment. https://gdpr-info.eu/issues/privacy-impact-assessment/
EU GDPR. Sample DPIA Template. https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf
Federal Trade Commission (FTC). Federal Trade Commission Privacy Impact Assessments. https://www.ftc.gov/policy-notices/privacy-policy/privacy-impact-assessments
SEC. Privacy Impact Assessment (PIA) Guide. https://www.sec.gov/about/privacy/piaguide.pdf