Privacy impact assessment – yes or no?
The GDPR orders companies to perform a privacy impact assessment (“PIA”) before initiating data applications (that bear a risk for data subjects). Companies must first assess whether their data processing operations will potentially impose a risk to the rights and liberties of data subjects. If there is a high risk, they must then perform a detailed PIA. The most challenging part of a PIA will likely be to assess whether there is a high risk in one’s company. In this context, the GDPR focuses on the perspective of the data subject, i.e. the question whether the rights and liberties of the individual could be affected (in practice, such curtailments of personal rights of the data subject are called “privacy impact”).
In the course of data mapping, all departments in your company should first perform an assessment of said impact and thereby assess risks for the data subjects. The second step should be to describe the processing operations and the measures to be taken (“What exactly do I do and what can I do to reduce the risk?”). The GDPR leaves it up to the data controllers to decide on how they want to realise this process.
In practice, especially companies that use new technologies (such as tracking tools), work with special data categories (e.g., health-related data, crime-related data, etc.) or process data according to a so-called blacklist (a list of particularly high-risk types of data processing that will be published by the Austrian Data Protection Authority in the future) will have to perform PIAs.