Out-Law / Your Daily Need-To-Know

New ICO guidelines on privacy impact assessments pre-empts EU reforms, says expert

Out-Law News | 26 Feb 2014 | 9:56 am | 3 min. read

Businesses can prepare themselves for changes in EU law by following the UK Information Commissioner's new guidelines on conducting privacy impact assessments (PIAs), an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that businesses that follow the new code of practice on PIAs that the Information Commissioner's Office (ICO) has published will be better prepared for complying with EU new data protection laws when they are introduced.

"Conducting PIAs is the best way organisations can flesh out what the privacy issues relevant to new products and services they seek to offer are," Wynn said. "They will help flag issues that may otherwise have been missed by an organisation and allow them to make changes to the way they intend to process or otherwise handle personal data to reduce or manage any risks to privacy."

"Organisations that undertake PIAs can also hope to be treated more leniently by regulators such as the ICO if they experience a breach of data protection rules and are placed subject to enforcement action," Wynn added.

"There is a realisation that not all data breaches are preventable, so businesses that can show they assessed the risks of processing personal data, took measures in place to mitigate those risks or otherwise can identify the reasons why they decided to proceed with projects despite risks being present, for example to derive benefits that override privacy risks, will be better placed to escape the stiffest fines or other enforcement action than those that do not," she said.

"In addition, the General Data Protection Regulation looks set to require many organisations to undertake PIAs by law. Following the ICO's new code will help smooth the process for businesses in terms of their compliance with the Regulation when it is eventually introduced into EU law," Wynn said.

A PIA is simply a process for evaluating a proposal to identify its potential effects upon individual privacy and data protection compliance; to examine how any detrimental effects might be overcome; and to ensure that new projects comply with the data protection principles. In the UK, the Data Protection Act (DPA) does not oblige organisations to conduct privacy impact assessments, but the ICO has said they are useful tools for organisations to use to help them comply with the requirements set out in the DPA.

Under the plans backed by MEPs, organisations operating in the EU may be required to undertake privacy impact assessments by law in future.

The General Data Protection Regulation as envisaged by the MEPs, but which is currently still subject to negotiation and change, would require organisations to conduct a "risk analysis" to identify the potential impact of their intended data processing activities on individuals' rights and freedoms in an effort to identify whether the "processing operations are likely to present specific risks".

The proposals list some examples of personal data processing activities which are likely to present 'specific risks', which include where organisations intend to personal data of more than 5,000 people over the course of a year, where the data is sensitive, where the processing involves systematic monitoring of individuals or where the processing produces individual profiling that impacts significantly on the people concerned.

Where the processing involves an example cited, organisations would be obliged to undertake a wider data protection impact assessment, which would entail reviewing how their handling of personal data, from "collection to processing to deletion", would impact on individuals' privacy rights.

Organisations undertaking the assessments would need to review the necessity and proportionality of their proposed processing activities, the risks to individuals rights and freedoms those operations would cause and outline the measures they intend to take to address those risks as well as the safeguards and security measures to ensure the protection of the personal data being processed. Every two years, organisations would be required to undertake a "compliance review" to "demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment".

The ICO's new code, among other things, recommends that businesses engage with internal and external stakeholders as part of the PIA process. It suggests that the views of project managers, data protection officers, IT staff, the procurement team and senior management, among others, should be sought when assessing risks in personal data processing and in seeking ways to mitigate against them.

As part of its new guidance, the ICO has published template screening questions which organisations can ask themselves when undertaking PIAs.

"The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses," the ICO's head of policy Steve Wood said in a statement. "Today even an app developer can be developing a product in their bedroom that involves using thousands of people’s information. This is why we have published our updated privacy impact assessments code of practice to help organisations of all sizes ensure that the privacy risks associated with a project are identified and addressed at an early stage during a project’s development."

“The updated code is designed to ensure that privacy impact assessments fit into the project development process, allowing organisations to follow a privacy by design approach to developing new ways of using people’s information. Successfully adopting this approach can only be good for consumers and for business and can enable organisations to demonstrate their compliance with the Data Protection Act," he added.