CNIL: Privacy Impact Assessments
New guides for carrying out PIAs (Privacy Impact Assessments) have been published by the CNIL. The method will help data controllers to implement Privacy by design.
From good practice to a real compliance approach
Article 34 of the French Data Protection Act provides that data controllers shall “take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data…”. Data controllers shall indeed identify risks that arise from their processing in order to identify the adequate measures to reduce them. In order to help SMEs and micro companies, the CNIL published a first security guide in 2010. This guide provides simple precautions that should be implemented to improve security of a processing of personal data. In June 2012, the CNIL published another guide on privacy risk management, applicable to complex processings or high risks scenarios. It helped data controllers to get an objective understanding of the risks arising from their processings, in order to select the necessary and sufficient security controls.
A faster, easier to implement, and better equipped method
This guide has been updated to remain in line with the European Data Protection Regulation project and the WP29’s work on the risk based approach. It also considers feedbacks and improvements proposed by different interested parties. Today, the CNIL provides a much more efficient method, which is composed of two guides: the methodological approach and the tools (templates and examples). They are completed by the already published measures for risk treatment.
A PIA (Privacy Impact Assessment) relies on two pillars:
- The fundamental principles and rights, “non-negotiable”, fixed by law and that have to be complied with. They may not be modulated, whatever the nature, severity and likelihood of the risks;
- Privacy Risk Management, which allows to determine the adequate technical and organizational controls to protect personal data.
To implement those two pillars, the approach consists in 4 steps:
- Context study: define and describe the processing(s) of personal data under consideration, its(their) context and stakes;
- Controls study: identify existing or planned controls (those to fulfill the legal requirements, and those to treat the privacy risks);
- Risks study: assess the risks that are related to the security of data and that could have impacts on individuals’ privacy, in order to check if risks have been treated adequately ;
- Validation: decide whether to accept the manner in which it is planned to fulfill legal requirements and to treat risks, or to reiterate the previous steps.