Have you submitted your projects to a DPIA (Data Protection Impact Assessment)? This step is mandatory for the most sensitive personal data processing. It is a great way to adopt a privacy-centric approach and thus strengthen the trust of the people whose data you are processing. The EIVP lets you control your budget and secure your launch schedule. We’ll tell you everything in today’s product news.
DPIA, AIPD, EIVP, what is it?
Privacy Impact Assessment (EIVP, AIPD in French).
All these acronyms refer to the same thing. One is used to perform a detailed analysis of the components of a project involving the processing of personal data.
This processing generates a risk to privacy that will be evaluated and reduced by adopting adequate measures. Its conduct, therefore, follows an iterative process that will determine the risk generated by the project and identify measures to reduce it.
The conclusions of a DPIA depend on your knowledge of the project and the level of risk. Thus, it is part of a continuous improvement approach following the project lifecycle. It will therefore be regularly renewed to readjust the conclusions.
AIPD mandatory, master your compliance risk
Any processing of personal data is subject to the legal requirements of the GDPR. But for your most sensitive projects, which present a high risk to the freedom of the people concerned, the DPIA will be a required step.
This risk is assessed in light of a set of criteria such as:
- the volume and diversity of data collected;
- the number of people concerned and their vulnerability (e.g., minors or employees);
- the innovative nature of the project on a technological level.
There is, therefore, a subjective assessment to be made. Fortunately, the CNIL has listed indicative processing for which a DPIA is required and those for which it is optional.
Pay attention to this step. In case of control by the regulatory authority, you will be accountable for your decision to launch or not a DPIA.
EIVP or how to submit your project to the privacy stress test
A DPIA is not something trivial.
Conducting one takes time. Given the effort it will require, is it worth it?
Feel free to abandon a nice-to-have but too-sensitive project. Focus on what you need.
Similarly, if you do not reduce the risk to an acceptable level at the end of the process, the entire project must be submitted to the CNIL for review. Keep that in mind.
DPIA at the heart of a privacy-by-design approach
The DPIA is the ideal method for doing your projects privacy-friendly.
Why? You will challenge the project in depth to make it less intrusive.
Do you need to collect all this data? Why not degrade its depth over time? How to restrict access to raw data? These are the types of questions you will examine.
The opinion rendered by the CNIL on the DPIA relating to the Stopcovid mobile application project is instructive. It shows that efforts have been made to make the device as non-intrusive as possible. This was highlighted to encourage the French to download this application.
Benefit from CNIL’s tools and methods
Nevertheless, for many actors, this is a novelty.
To help you in your efforts, the CNIL provides you with the following:
- A toolbox involving templates and a method;
- A regularly updated open-source software. A new version has been published, integrating fixes and new features.
Optimize your project cost with the DPIA.
Conducting a DPIA simplifies the integration of data protection measures into your project. The CNIL recommends launching it even when it is not legally required.
- The EIVP provides immediate and comprehensive visibility.
- You can identify the main actions to be taken, such as automated purge functionality, pseudonymization or anonymization processes, and more. Once the study is completed, you will have a global overview before entering the development phase.
- This enables you to estimate the cost and time required for IT developments and the legal measures to implement. By anticipating, you can ensure privacy concerns will not disrupt your planning.
- In the medium term, you can also avoid complications. For example, the EIVP helps optimize the security of your tool, limiting the risk of suffering a personal data breach and having to notify the CNIL.
On the other hand, launching an EIVP when IT developments are already underway or just before production is much riskier. This exposes you to unexpected problems, such as the need to change a service provider or undertake additional IT developments, which can cause your budget to skyrocket and your launch date to be delayed.
In conclusion, by using the DPIA, you can prioritize privacy by design, which will help secure the personal data you process
Your efforts will be appreciated by the individuals concerned and will help establish a relationship of trust. You will also prove that you take data protection seriously.
By focusing on a limited number of projects that meet your current needs, you can improve your performance and protect your e-reputation. For example, if you are developing a project that relies on acquiring a data management platform, using Axeptio’s cookie module can help you secure the collection of online consents for cookie deposits. The DPIA can help ensure that the data collected is used appropriately and that campaigns are personalized effectively.
