Over the last 20 years, technology has changed dramatically. First and foremost, the internet and how people use the internet has completely transformed. More personal data is being used in revolutionary new ways – which brings with it significant benefits and risks. In response, European Union (EU) data protection laws have been revisited to address this modern internet usage, resulting in the EU parliament approving the General Data Protection Regulation (GDPR) in April 2016. On May 25, 2018, the GDPR becomes enforceable; however Gartner predicts “that by the end of 2018, more than 50% of companies affected by the GDPR, will not be in full compliance with its requirements.” There is still time to achieve compliance, and some of the GDPR components might already be in place in your organization. One component of the GDPR is a mandatory Privacy Impact Assessment (PIA) in certain scenarios involving data collection and processing.
This post will further explore this component to the GDPR. If you are more interested in a general overview of the GDPR, consider browsing our overview of GDPR and JumpCloud or this official website instead. The GDPR also introduces some new terminology, and this GDPR definition page explains the meaning of those terms.
Mandatory Privacy Impact Assessments (PIA)
Privacy Impact Assessments demonstrate how an organization handles personal information and how an organization works to secure that information and maintain its privacy (TechTarget). GDPR is requiring controllers to carry out a PIA in these particular circumstances (GDPR Art. 35):
- Using new systems or software for processing data.
- Processing is likely to result in a high risk to the data subject’s rights and freedoms.
- Data collection involves systematic monitoring of a publicly accessible area on a large scale.
- A large scale project involves collecting data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetics, biometrics, or health.
- A large scale project collecting personal data relating to criminal convictions and offenses.
- A project might produce decisions and legal effects concerning the natural person or significantly affect the natural person.
If a controller’s (Read more...)
*** This is a Security Bloggers Network syndicated blog from JumpCloud authored by Natalie Bluhm. Read the original post at: https://jumpcloud.com/blog/gdpr-mandatory-privacy-impact-assessments/