Privacy Impact Assessment (PIA) is the second pillar of data privacy accountability and compliance. After registering your Data Protection Officer (DPO) with the National Privacy Commission (NPC), the next step is to know, evaluate, and manage the data privacy risks that are present in your operations. Here are some tips that can help you in the conduct of your PIA:
1. Identify your processing activities.
Make a list of your organisation’s processes, procedures, systems, programs or projects that involve the collection and processing of individual personal data. By doing this, you can have an idea on how many processing activities need PIAs and you can map out the target completion date for all your PIAs. Remember that you will conduct a PIA for each processing activity. So, if you have fifty (50) processing activities, you need to conduct fifty (50) PIAs.
2. Identify the process owner/s and stakeholder/s.
After having a list or inventory of your processing activities that need PIAs, proceed to identify the process owner/s and stakeholder/s of each processing activity. The concerned process owner should be the one to conduct the PIA on his or her process in order to have accurate answers in the PIA form and to have accurate risk findings. Stakeholder/s of each processing activity must also be involved.
3. Orient the process owner/s on the importance of PIA and on how to answer the PIA form.
Before the actual conduct of PIA, your process owner/s must first understand the importance of conducting the PIA and must be oriented on the parts of the PIA form that they will answer. This is necessary so that your process owner/s will answer the PIA form seriously and honestly. For some DPOs, this might be the hardest part in conducting the PIA – to get the participation and to ask for the time of process owner/s within the organization. Some process owner/s think that the DPO is just giving them additional task, or some say that they do not have time to do the PIA because they have their own specific and equally important functions to perform. Getting their participation will be challenging for a DPO, especially in large organizations where there are a lot of process owners involved. Thus, the DPO must demonstrate his authority and leadership skills in order to gain the respect and participation of the process owner/s.
4. Be ready with your forms, contracts, policies and other documents.
When answering the PIA form, ensure that the process owner/s have with them the forms, contracts, policies and other relevant documents that are related in their processing activity. By having these, it will be easy for them to accomplish the PIA form and to answer the specific questions therein. Accurate answers will result to accurate risk findings.
5. Verify the risks found and provide privacy solutions and recommendations
Once the process owner/s is/are done answering the PIA form, the next step is the risk analysis and mapping. To be certain with the findings of privacy risks, it is important to verify first the findings with the concerned process owner/s so that you will not waste time recommending privacy solutions that are not needed. After verifying all the risks found, you can now proceed with your risk mapping and provide specific recommendations to address those risks.
PIA may be complicated, but once you have done it properly and orderly, it can make your next compliance activities smooth. For those who have not conducted their PIAs yet, I hope these steps can guide you in doing your PIAs.