In accordance with the new regulation on the right of personal data, the data controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
The article 35 of the regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) concerns the Privacy Impact Assessment.
This article provides that « Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. ».
Thus, the Privacy Impact Assessment allows to :
- Achieve a processing of personal data respecting privacy ;
- Assess the impact on the privacy of the persons concerned ;
- Demonstrate that the fundamental principles of the Regulation are respected.
Here are some examples of processing operations requiring or not a PIA :
Source : Guidelines on Data Protection Impact Assessment – G29
For more informations :
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4 April 2017.