How to carry out a PIA
Consultation, internal and external, is an integral part of conducting a successful PIA. It can take place at any point in the process and should be considered at all stages within the process.
There is no set procedure for conducting a consultation. If you have a DPO they must be involved in the process. You should consider consulting:
- internal stakeholders: eg, IT team, communications team, procurement team, potential suppliers and data processors, sales team and other customer facing roles, compliance team and senior management; and
- external stakeholders: ie people who will be affected by the project—depending on the nature of the project this could be your clients or your own staff.
Identify the need for a PIA
The need for a PIA can be identified as part of an organisation’s usual project management process.
The ICO suggests eight screening questions.
Answering yes to any of the ICO’s screening questions is an indication that a PIA would be a useful exercise.
Describe the information flows
Explain what information is used, what it is used for, who it is obtained from and disclosed to, who will have access, and any other relevant information.
You can record the flow of information/data in whichever format best meets your needs, eg a flowchart, information asset register or project design brief.
Identify privacy and related risks
Consider the following three types of risk:
- risks to individuals: eg risks to physical safety of individuals, material impacts (such as financial loss) or moral (for example, distress caused); the risk that inadequate disclosure controls could increase the likelihood of information being shared inappropriately;
- corporate/organisational risk: eg sanctions, fines or compensation claims arising out of data loss; problems which are only identified after the project has launched are more likely to require expensive fixes; and
- compliance risks: non-compliance with data protection principles could result in monetary penalties and reputational damage.
Identify and evaluate privacy solutions
Consider how you could address each risk. Some risks might be eliminated altogether. Other risks might be reduced. Most projects will require you to accept some level of risk, and will have some impact on privacy.
Record the likely costs and benefits of each approach. Think about the available resources, and the need to deliver a project which is still effective.
If a risk cannot be mitigated, reduced or eliminated consider whether to reject the proposal or to accept the risk. You may need to report serious risks to the ICO.
Sign off and record the PIA outcomes
Produce a PIA report to ensure privacy risks are signed off at an appropriate level, eg by your board, managing partner, risk partner, and/or DPO.
A PIA report should summarise the process, and the steps taken to reduce the risks to privacy. It should also record the decisions taken to eliminate, mitigate, or accept the identified risks. The PIA report or a summary should be made available to appropriate stakeholders.
Consider publishing the report or a summary: publishing a PIA report will improve transparency and accountability.
Integrate the PIA outcomes back into the project plan
Ensure the steps recommended by the PIA are integrated into your project plan and implemented.
It might be necessary to return to the PIA at various stages of the project’s development and implementation. Large projects are more likely to benefit from a more formal review process. Record what you can learn from the PIA for future projects.
Continue to monitor and review the PIA throughout the project life-cycle. Update as required.