Privacy Impact Assessments (PIA)s Workshop

Transcription

1 Privacy Impact Assessments (PIA)s Workshop CPD CODE: Association of Compliance Officers in Ireland 4 th October 2016 Anne-Marie Bohan, Partner, Matheson

2 ACOI Workshop Privacy Impact Assessments 4 October 2016 By Anne-Marie Bohan Irish Tax Firm of the Year European M&A Tax Deal of the Year International Tax Review 2016 European Law Firm of the Year The Hedge Fund Journal 2015 Financial Times Matheson is ranked in the FT s top 10 European law firms Matheson has also been commended by the FT for corporate law, finance law, dispute resolution and corporate strategy.

3 Privacy Impact Assessments Methodology for assessing the impacts on privacy of a project, policy, programme, service, products or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise negative impacts

4 Benefits of a PIA Identification of risks to privacy Solutions to avoid / mitigate risk Early warning system Education Cost minimisation Demonstration of compliance Liability management Trust and confidence transparency Regulator s views

5 GDPR Required where high risk to rights and freedoms New technologies New kind of processing No previous impact assessment Lapse of time Consultation with supervisory authority Prior to proceeding Scope do not consider in isolation

6 GDPR High risk Large scale Security / special categories Difficulty in exercising individual rights Systematic and extensive evaluation automated processing Monitoring of public areas

7 GDPR Role of supervisory authority List of processing types requiring PIA Set timeframes for consultations 8 weeks / 6 weeks Legislative process Data protection officer Assistance from processors

8 Consultations Respective responsibilities of: controller joint controllers processors Purpose and means Safeguards Role of data protection officer PIA Other requested information

9 GDPR PIAs Description of operations Description of purposes Necessity and proportionality assessment Risk assessment Measures to address risk Measures to demonstrate compliance

10 GDPR Approved codes of conduct Consultations Reviews to assess compliance Exemptions If supervisory authority determines not required Where law regulates specific processing and PIA already carried out

11 Examples of PIA methodologies UK Information Commissioner s Office HIQA Australia New Zealand Canada US

12

13

14 When to do a PIA GDPR PIAs GDPR by design and by default Broader requirement? Products Services Projects Programmes Policies Other initiatives Need not be a large project

15 When to do a PIA Timing Balance Enough information Before significant investment

16 Elements of PIA process Threshold assessment Risk identification Risk management PIA report Review and audit

17 Scoping the PIA Stakeholders Functions and responsibilities Deliverables Outcomes Scope

18 Responsibility for PIA Project manager External consultants? Data protection officer Senior executives and board

19 Objectives of a PIA Identification of privacy impact Appreciation of impact by stakeholders Assessment of acceptability of project Assessment of alternatives Identification of mitigants and avoidance Business justification of unavoidable impacts Documentation

20 UK ICO Code of Practice Identifying need for a PIA Describing information flows Identifying privacy and related risks Identifying and evaluating privacy solutions Signing off and recording the PIA outcomes Integrating PIA outcomes back into the project plan

21 PIA Report Project description Privacy impact analysis Business case Privacy design features Public accountability

22 The Need Part of project management process Screening questions Data Data sources Disclosures New use New technology Impact on individuals Sensitivity of date Contract

23 Information flows Collection Storage and retention Use Disclosure

24 Identifying risks Privacy risks to individuals Compliance risks Risk management methodologies Industry standards Likelihood and severity Risk registers

25 Solutions Linked to risks Identify options and effect Anonymisation Data sharing Technical measures Contracts Training

26 Sign off Agreed solution Acceptable risks Responsibilities Transparency and accountability Publication?

27 Review and audit Integration into project / product Ongoing review Periodic audits

28

29 Contact Anne-Marie Bohan Matheson 70 Sir John Rogerson's Quay Dublin 2 T: F: E: anne-marie.bohan@matheson.com W: v1