The Argentine Agency of Access to Public Information and Uruguayan Regulatory and Personal Data Control Unit recently published the “Data Protection Impact Assessment Guidelines.” The Uruguayan law already provides for mandatory privacy impact assessments, while that is not the case under current Argentinean law (although it has been included in the bill pending before Congress). The jointly published guidelines are primarily based on the laws of the EU member states and members of Convention 108, of which both Argentina and Uruguay are participants.
Pursuant to the accountability principle and according to the concepts of privacy by design and default, the DPIA is meant to guide not only public organizations, but also private companies from an early stage, to identify risks in the processing of personal data that may occur during their usual activities and projects and be able to minimize the potential negative effects that may arise from those activities or projects. The DPIA is aimed at big companies, technological startups and other small businesses.
The DPIA is an important reference for organizations when defining their processes of management regarding their information assets, including personal data. The DPIA helps companies identify possible risks that may occur while the organizations perform their daily activities, conduct new projects or apply their internal policies, the goal being to manage the risks, as well as minimize or eradicate them, to fulfill effective data protection, pursuant to the applicable law.
Through the evaluation assessment, it is intended to learn the relationship that will exist between the data controller and data subject. Specifically taking into account the expectation of privacy of the data subject, the influence the controller’s activity in society, how the data controller makes certain decisions, and why and what are their goals. The DPIA is divided into six evaluation stages that comprise the identification of the key people included in the potential processing of personal data up to the detection of the possible risks involved. The activities comprised in every stage are to:
- Choose the participants of the initial analysis and the impact assessment, as well as define the processes for the documents.
- Analyze the applicable law for the assessment conducted.
- Carry out a preliminary analysis of several features that would trigger or not the need to conduct an evaluation assessment (this stage can be omitted if the evaluation assessment is mandatory by law).
- Analyze all the stages of the evaluation to be performed from the perspective of personal data protection.
- Analyze the possible risks involved in every previous stage to conduct adequate management of such risks.
- Perform a suitable management plan of the risks determined in the previous stages, if any.
- In each stage, the data controller is urged to carry out partial reports that could later be included in a final report that will describe the foreseen actions and results achieved.
The results of the DPIA must be included in the management of the project or within the company’s daily activities. Therefore, the DPIA highlights the importance of keeping a record and to be aware of the evaluation process of the DPIA in an auditable and comprehensible manner. Moreover, it is recommended that the data controller publishes a copy of the final report on its website or make it available upon request, preserving any confidential information if applicable.
Photo by Andrew Stutesman on Unsplash