TrustArc Chief Data Governance Officer and General Counsel Hilary Wandall and Information Accountability Foundation (IAF) Executive Director and Chief Strategist Marty Abrams held a webinar where they spoke about the background, requirements, and examples of DPIAs, available on demand here.
GDPR Requirements for DPIAs
First, they reviewed how the first privacy assessment methodology was developed and how comprehensive data impact assessments originated to illustrate the evolution of privacy assessments.
Then, they went on to explain how the newly required DPIAs differ from traditional PIAs. While traditional PIAs focus on technical requirements for compliance, DPIAs bring in larger ethical issues. Technical requirements focus on the risk to the organization by looking at whether the organization is complying with the technical implementation requirements of privacy laws and frameworks. The risks could be reputational losses, breaches, or reputational hits by the media. Some examples of the technical implementations to avoid these risks include privacy notices, honoring opt outs, having a security program, and having a program to deal with security breaches. Larger ethical issues go beyond the technical requirements and take into consideration whether the processing of the data will create value for others in addition to the organization.
The GDPR links the fundamental rights of the individual to data protection because it provides individuals the right to autonomy where it is appropriate and the right to fair processing. It requires organizations to have a legitimate interest for processing data, which requires the organizations to balance their interests with those of the data subjects.
To help organizations deal with the new concept of benefits being balanced against risk, TrustArc is working with the IAF to develop a DPIA construct. It will help organizations understand the benefits that come with the processing. The DPIA process will be powered by the TrustArc Platform providing a systematic scalable approach and workflow for completing DPIAs and creating the documentation required to track issues, mitigate risk, and demonstrate what protections are in place to protect the rights of individuals in the event the organization must consult with an EU DPA.
Finally, the webinar wrapped up by showing how the DPIA process can fit into a larger enterprise risk management program by using the real life example of employee monitoring.