The Next Generation PIAs

GDPR Ready: Article 30 & 35

This framework is the latest in Nymity’s ongoing thought-leadership research in accountability. It is a next generation approach to Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIA) which is called an Accountability PIA Framework. The core of the approach works on a simple premise: both PIAs and organisational accountability have the same purpose - they mitigate privacy risk and address compliance. So, why can’t organisational efforts in accountability be leveraged in a PIA? This paper argues that it can and provides a framework for doing so.

The Framework extends the functionality and value of a PIA well beyond the traditional PIA in use today. It delivers:

  • benefits to individuals;
  • higher assurances that risk is mitigated effectively; and
  • if subject to GDPR, produces your Article 30 records of processing activities.

GDPR Ready
Section 5, 6, and 7 address
GDPR Article 30 Records of processing activities and

Article 35 Data protection impact assessments

Also, this next generation Framework enables PIAs:

  • to make better use of resources; and
  • be much more scalable.

Finally, for the business, it:

  • enables more processing of personal data; and
  • provides evidence of compliance.

In short, the Accountability PIA Framework has better outcomes for both individuals and the organisation. The paper has 7 sections:

  1. Challenges with the Traditional Approach to PIAs
  2. The Overlap between Accountability and PIAs
  3. Accountability PIA Framework
    • Step 1: Benefits to Individuals
    • Step 2: Remediate Risk using Accountability Mechanisms
    • Step 3: Effectiveness Assessments
  4. The Outcomes: Better Risk Mitigation and Demonstrable Compliance
  5. Accountability and DPIAs in the GDPR
  6. Example Article 30 and Article 35 Reports
  7. The Power of Structured Accountability for GDPR Compliance

Appendix A: Why the Timing is Right for the Next Generation of PIAs: Accountability PIA Framework