Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), and Transfer Impact Assessments (TIAs) are all similar in concept but vary greatly in terms of what, why, and when. And while it can be easier to misinterpret which you need to conduct, they all serve their own specific purposes and have their own specific requirements that must be observed.
PIAs are used to evaluate the potential privacy risks posed by the collection, use, and disclosure of data and are instrumental for compliance in areas such as data breach preparedness, developing privacy notices, and implementing Privacy by Design, among other things. DPIAs on the other hand are only necessary when there is a “significant”, “high”, or “heightened” risk to the rights and freedoms of individuals, for example processing sensitive data or using new technologies. TIAs are a relatively new concept that are required for data transfers from the EU to third countries. TIAs are used to assess the risk involved in the transfer and include the need for understanding the legal framework in the third country.
Let’s take a closer look at the important differences between these three assessments and some specific use cases for each.
What is a PIA, DPIA, and TIA?
Privacy Impact Assessments
PIAs are a fundamental tool used for evaluating an organization’s activities and for mitigating privacy risks for individuals and business alike posed by these activities. In some cases, PIAs are mandatory for compliance with privacy laws, however they can be seen as a best practice even where they are not required.
Typically, PIAs should be carried out at the start of a project to assess the privacy implications of the collection, use, and disclosure of personal information. Organizations should take note of what information needs to be included in a PIA as this can differ greatly in terms of scope, form, ways of being conducted, and even language depending on the law you need to comply with.
Data Protection Impact Assessments
The concept of a DPIA and a PIA is the same. Both are an assessment of the privacy or data protection risks associated with a new product or service, as well as identifying and applying the appropriate measures or controls to address these risks.
However, unlike a PIA, a DPIA is typically only required where the outcomes of a processing activity are likely to result in a “significant”, “high”, or “heightened” risk to the individuals concerned. This often includes where sensitive personal data is concerned or when new or novel technologies are to be used.
Another key difference between a PIA and DPIA is what elements to include in the assessment. A PIA can have various structures depending on the jurisdiction or business’s needs. Whereas under the GDPR, the contents of a DPIA are clearly defined.
Organizations should take care to understand and recognize the difference between a PIA and a DPIA and the latter used only when the relevant DPIA triggers are met. You may choose to complete an initial “risk analysis” or “threshold” questionnaire to understand the overall risk and determine if a DPIA is required.
Transfer Impact Assessments
In the fallout from the Schrems II case, the European Data Protection Board (EDPB) released its guidance on how to properly safeguard personal data in absence of an adequacy decision. As part of that guidance, the EDPB highlighted that organizations need to perform a TIA to evaluate the Article 46 transfer tool that they are relying on in light of the legal framework and practical application of the law in a third-country destination.
When conducting a TIA, organizations should consider the legal bases for government access requests in the third country destination as well as whether organizations can refuse to comply with these requests and the legal recourse available for doing so. A TIA can also be used to assess whether a destination country has entered into any legally binding international commitments or instruments related to data protection.
The outcome of a TIA should inform the measures that an organization uses to protect personal data to a standard equivalent to that found under the GDPR while being transferred outside of the EU.
Other variations of TIAs have become more commonplace over the past 12 months, and now jurisdictions including the UK and the People’s Republic of China (PRC) have developed and introduced their own versions of this type of assessment.
Using PIAs, DPIAs, and TIAs
PIAs to inform privacy notices and privacy by design
The outcomes of a PIA will have a wider impact on your privacy program and operations. For example, following the completion of a PIA, organizations will need to address any relevant privacy concerns that have been raised as part of the assessment in privacy notices. PIAs can also help to influence how new services and products are developed and Privacy by Design is baked in.
PIAs must be embedded into the product lifecycle so that is conducted during the design process of a product, and the PIA must include the proper set of questions to help the product designers identify user-trust, and legal and engineering issues to integrate all privacy by design principles. The risks identified in a PIA should also be addressed with a treatment plan that, as a best practice, includes assigning risk owners, specific tasks related to the risks, and strict deadlines. Identified risks must not be left unattended.
In certain cases, the outcomes of a PIA will mean that your organization will need to update its privacy notice with updated privacy processes. The outcomes should also trigger further communication between different business functions to actively amend proposed products and services and actively seek out more privacy-friendly settings or features.
Privacy notices are an organization’s way of effectively and transparently communicating their privacy practices and information about how consumers’ personal information is collected, used, and shared. So, if a high-risk processing activity is found to be taking place, privacy notices should be updated accordingly to inform individuals of how their information is being used, the steps the business is taking to mitigate the risk, and how individuals can exercise their rights or make complaints.
DPIAs for handling sensitive data
Sensitive data, or sensitive personal information (SPI) as it is also known, requires organizations to adopt specific, specialized measures to ensure a heightened level of protection is provided.
If triggered, a DPIA will help you outline these measures such as encryption or anonymization. A DPIA will also help to highlight areas of compliance under certain privacy laws that will need to be addressed in relation to SPI, such as the “Limit the Use of My Sensitive Personal Information” link requirement in California or having a valid legal basis to process SPI under the GDPR.
A DPIA will also help you to visualize what consent is needed to lawfully process the information. For instance, in Colorado, Connecticut, and Virginia opt-in consent is required prior to processing, whereas in California and Utah consumers must be given the opportunity to opt out of the processing of the SPI prior to processing.
In cases of processing sensitive personal information, a DPIA will also help you ensure the confidentiality, integrity, and availability of the data. A DPIA can help organizations to see the proposed processing activity from the point of view of the individual and uncover potential issues that may otherwise go unnoticed.
TIA for informing transfer safeguards
The need to conduct a TIA was outlined in the EDPB’s six-step roadmap that was released as part of their final guidance in the fallout from the Schrems II case. A TIA’s primary purpose is to assess the risks posed by data transfers from the EU to a third country.
The TIA should outline gaps in third-country law that fall short of the standards upheld by the GDPR as well as an assessment of both the safeguards provided by the destination country and a separate assessment of the safeguards provided by the recipients involved. In these instances, the TIA should help guide your organization when putting in place the correct safeguards to achieve an essentially equivalent level of data protection to that found in the EU. This may include Article 46 safeguards such as Standard Contractual Clauses (SCCs).
Having conducted a thorough TIA, you might find that an Article 46 safeguard alone does not uphold the correct standard of data protection and a supplementary measure might need to be employed such as split-processing pseudonymization.
The need to conduct a TIA – or Transfer Risk Assessment (TRA) as they are known in the UK – is seen as a requirement for regulators in the EU and the UK. In practice, a TIA will often need the input of privacy and compliance teams as well as business owners across functions such as procurement. The results of a TIA will help to inform your data transfers with the appropriate safeguards to align with the requirements of the GDPR.
How OneTrust Helps
The OneTrust PIA & DPIA Automation solution enables organizations to consolidate information from internal and external stakeholders to gain both a technical and contextual understanding of how data is collected, the purpose for which it’s being used, where the data is located, and what protections are in place. With a need to keep this information constantly updated, the OneTrust PIA& DPIA Automation solution allows you to schedule update prompts to ensure business owners are alerted when updates are needed.
The tool is powered by OneTrust DataGuidance, a database of global privacy laws, that backs dozens of built-in assessment templates and automated mitigation recommendations. The tool scales and supports multiple languages, enabling you to maintain all the records you need to demonstrate compliance with global laws.
With OneTrust PIA & DPIA Automation you can:
- Implement threshold assessments to determine if PIAs are necessary, and automatically escalate PIAs with high risk to DPIAs
- Complete the OnePIA to facilitate assessment needs across multiple jurisdictions with just one assessment
- Conduct Transfer Impact Assessments to assess third countries and vendors involved in transfers to countries without adequate protection
- Flag risks based on the results of assessments and manage risk mitigation
- Visualize US-EU data transfers with dynamic maps based on purpose, vendors, and categories of data
Request a demo today to learn more about the OneTrust PIA & DPIA Automation tool.
