General Data Protection Regulation (GDPR) – Privacy Impact Assessment (PIA)
Insurance2day Insurance Services Ltd will conduct PIAs in respect of, but not limited to, the following projects, as Privacy and Data Protection is a key consideration in the early stages of any project and throughout its life cycle.
• New IT systems for storing and accessing personal data.
• Any data sharing initiative, where we seek to pool or link sets of personal data.
• Any proposals to identify people in a particular group or demographic and initiate a course of action.
• If using existing data for a new and unexpected or more intrusive purpose.
• Any new surveillance system (especially where members of the public are monitored) or the application of new technology to an existing system (e.g. adding Automatic number plate recognition capabilities to an existing CCTV system).
• Any new database which consolidates information held by separate parts of an organisation.
• Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring.
Privacy Impact Assessment Screening Questions
These questions are intended to help decide whether a PIA is necessary. Answering ‘Yes’ to any of these questions is an indication that a PIA is required. The answers to these questions may change, as a project develops, and therefore continual reviewed is required.
– Will the project involve the collection of new information about individuals?
– Will the project compel individuals to provide information about themselves?
– Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
– Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
– Does the project involve using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
– Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them?
– Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? e.g. health records, criminal records or other information that people would consider to be particularly private.
– Will the project require individuals to be contacted in ways which they may find intrusive?
Information the PIA needs to contain
Identify the need for a PIA
– summarise why the need for a PIA was identified
– explain what the project aims to achieve, what the benefits will be to the organisation, to individuals and to other parties
Describe the information flows
– the collection, use and deletion of personal data needs to be described
– note how many individuals are likely to be affected by the project
– explain what practical steps you will take to ensure that you identify and address privacy risks.
– who should be consulted, internally and externally?
– how will you carry out the consultation?
– link to the relevant stages of the project management process
Identify the Privacy and related risks
– identify the key privacy risks and the associated compliance and corporate risks.
– create a risk register
Identify Privacy Solutions
– describe the actions you could take to reduce the risks and any future steps which would be necessary
Sign off the PIA
– each risk needs to be identified alongside the solution and a signature approving the solution
– this needs to be signed off at a senior level
Integrate the PIA Outcomes back into the project plan
– who is responsible for integrating the PIA outcomes back into the project plan and updating any project management paperwork?
– who is responsible for implementing the solutions that have been approved?
– who is the contact for any privacy concerns which may arise in the future?
Name Contact for Future Privacy Concerns
Circulate the document to all GDPR and Project Committee members and retain a record that the document has been circulated.
When the project is under review thedocument should be revisited.
The document needs to be signed off at senior level and by those involved in the project and by the nominated persons responsible for GDPR.
A signed copy should be retained with the project information and by the GDPR committee.
Complete the form below for details of our Cyber/GDPR data breach insurance solution
The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.