Home / Insight / GDPR / Privacy Impact Assessment (PIA) / Privacy by Default/ Privacy by Design

Privacy Impact Assessment (PIA)

Privacy impact assessment –  yes or no?

The GDPR orders companies to perform a privacy impact assessment (“PIA”) before initiating data applications (that bear a risk for data subjects). Companies must first assess whether their data processing operations will potentially impose a risk to the rights and liberties of data subjects. If there is a high risk, they must then perform a detailed PIA. The most challenging part of a PIA will likely be to assess whether there is a high risk in one’s company. In this context, the GDPR focuses on the perspective of the data subject, i.e. the question whether the rights and liberties of the individual could be affected (in practice, such curtailments of personal rights of the data subject are called “privacy impact”).

In the course of data mapping, all departments in your company should first perform an assessment of said impact and thereby assess risks for the data subjects. The second step should be to describe the processing operations and the measures to be taken (“What exactly do I do and what can I do to reduce the risk?”). The GDPR leaves it up to the data controllers to decide on how they want to realise this process.

In practice, especially companies that use new technologies (such as tracking tools), work with special data categories (e.g., health-related data, crime-related data, etc.) or process data according to a so-called blacklist (a list of particularly high-risk types of data processing that will be published by the Austrian Data Protection Authority in the future) will have to perform PIAs.

Privacy by Default/ Privacy by Design

Privacy by Default and Privacy by Design

These two buzzwords refer to technical concepts described in the GDPR that your company will not get around heeding and implementing: data protection as a default setting (“privacy by default”) and data protection through technical means (“privacy by design”). This means that IT systems have to be configured in a way that the programming has already greatly reduced the possibility of illegitimate data processing operations. For example, checkboxes must not be pre-selected in a way that pushes users to consent.

Establishing a record of processing activities is a crucial prerequisite for being able to take adequate technical and organisational measures to provide for privacy by default and privacy by design. This is because once your company has internalised the requirements to be met to legitimately process personal data, it is easier to decide which measures have to be taken for these two privacy settings.

  • Finally, the principle of privacy by design is considered fulfilled when, e.g., the data subject’s consent is obtained prior to the data processing.