🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

How to create a PIA? The essential points

Home GDPR How to create a PIA? The essential points

Summary

This article is taken from the webinar "How to carry out a PIA in practice: the essential points" which you can find here.

What is a PIA?

The PIA (Privacy Impact Assessment) aims to construct and demonstrate the implementation of privacy protection principles so that people affected by data processing retain control of their personal data. These principles are both legal (contracts with stakeholders, information notices...) but also technical (firewall, encryption...).

When to carry out a PIA?

The impact analysis must be carried out by the data controller when a type of processing, in particular through the use of new technologies and taking into account the nature, scope, context and its purposes, is likely to create a high risk for the rights and freedoms of natural persons.

If the processing meets at least two of the criteria set by the G29, the impact analysis is necessary:

  • Evaluation/Scoring
  • Automatic decision with legal effect
  • Systematic monitoring
  • Sensitive data
  • Large scale
  • Data cross-referencing
  • Vulnerable people
  • Innovative use
  • Transfer outside the EU
  • Blocking a right/contract

Impact analysis is not necessary:

  • If the treatment is not likely to cause high risks
  • If the processing is already authorized, as long as it complies with the implementation conditions

Legal basis: The CNIL makes it available a list of types of processing operations for which an impact analysis is required, but also a treatment list which does not require impact analyses.

Webinar replay: how to create a PIA? The essential points

How to create a PIA?

The PIA can be divided into several stages:

Writing the analysis

Creation of a functional processing diagram detailing the flow of personal data and their media, from their collection to their destruction.

It is then necessary to identify the legal, physical, logical and organizational security measures implemented or planned by the controller to comply with legal requirements and address privacy risks in a proportionate manner.

Subsequently, you must identify potential data breaches, specifying the severity of the impacts on the people concerned and the likelihood of the threats making these breaches possible.

Assessment

The analysis manager (internal, external DPO, service provider...) will then evaluate the effectiveness of the measures put in place to reduce the risk of treatment. The aim is to have an acceptable residual risk for the implementation of data processing.

Validation

Final step: make the decision to validate how it is planned to respect the principles of privacy protection and address risks, or revise the previous steps.

If the risks remain too great, you must then request authorization from the CNIL.

Find out how to manage a PIA in Data Comply One (formerly Mission RGPD) here

PIA – GDPR software free trial

Other articles
on the same subject