The new EU General Data Protection Regulation (GDPR) confirms that privacy must be designed into the processing of personal data by default. This ‘privacy by design’ concept is not new, and has been for many years and recommended by the UK Information Commissioner’s Office (ICO), as outlined in its previous report Conducting privacy impact assessments code of practice.
What is new?
What is new and defined in Article 35 of the GDPR is the fact that data protection impact assessments (DPIA) are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.
Privacy impact assessments
Privacy impact assessments (PIAs) are at the heart of building a privacy by design approach. They allow organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a breach of data protection laws and regulations. Such projects could include a new business acquisition, a new service, or even a new marketing campaign targeting a group of prospects. Privacy impact assessments also help to meet the growing privacy and data security expectations of customers, employees and other stakeholders.
Our view is that PIAs (or DPIAs in EU parlance) should be used as default strategic tools for all UK organisations that process, store or transfer personal data. In addition to meeting any requirements of the GDPR, they are an essential component of an ISO 27001 risk management-based approach designed to implement and maintain effective information security.
Workshops and training
To help you get started immediately, I can recommend that you attend our Privacy Impact Assessment (PIA) Workshop, a one-day classroom session designed to provide delegates with the practical knowledge to deliver effective PIAs. It costs just £350 + VAT, with the next session running in London on 1 July 2016.
If you would like to know about the new GDPR, we have just launched the Certified EU General Data Protection Regulation Foundation (GDPR) training courses, which are scheduled to run in Cambridge and London (classroom) or as Live Online sessions (anywhere you are).