On Nov. 22, France’s Data Protection Authority (CNIL) released the beta version of its open-source software tool intended to assist data controllers in conducting the privacy impact assessment required under the General Data Protection Regulation.
Article 35 of GDPR requires that a data controller conduct a PIA when its processing of personal data is likely to result in “a high risk to the rights and freedoms of natural persons.” The PIA enables the data controller to assess the nature and severity of the “high risks” before the processing activity (or set of processing activities) commences so that it can adopt appropriate measures to mitigate the risks. Although “high risk” is not defined, Article 35(3) and Recital 91 describe specific circumstances in which a PIA is required and the Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (WP29 PIA Guidance) provides guidance on when processing is high risk processing for GDPR purposes.
The CNIL’s PIA software is available for download as an individual-use version (Windows, MacOS or Linux) or a web-based version, which is specifically designed to be deployed on a company’s network and integrated with its existing systems. The web-based version provides both a front-end and back-end download. The back-end requires Ruby, Rails, and PostgreSQL which may not be acceptable to all companies. Integrating Ruby applications into Java and .net environments can be easy or challenging depending on the sophistication of the environment and the developers involved.
The CNIL’s PIA software captures specific scope of PIA requirements described GDPR Article 35(7):
- The type, purpose and context of the personal data processing, including the responsibilities and the data processed;
- Information about compliance with the fundamental principles, i.e., proportionality, necessity and data subjects’ rights; and
- The potential privacy risks arising from the particular processing context and the measures intended to mitigate privacy risks.
The PIA software is generally easy to use for someone already familiar with the GDPR, although some of the French to English translations are a bit confusing.
A user starts a PIA by opening the tool and selecting “New PIA.” The user is then prompted to name the PIA and provide the name of an editor, reviewer and validator. Each PIA is organized into four sections: context, fundamental principles, risks and validation. The response box for each question provides a brief description of what is expected in the response. An option to leave comments and upload attachments also is available for each question. When the user selects a question, the tool provides relevant definitions as well as a description of each of the principles the question addresses.
In some cases, a link to relevant sections of the GDPR is available. A search box is available throughout the PIA which enables the user to search a PIA knowledge-base for information not automatically served up by the tool. Previous PIAs are available on the home screen as tiles which include the creation date and status of each, among other information.
Upon completing the “risks” section, the software maps each risk to its corresponding potential impact, threat, source and measure (i.e., control). The software also provides a scaled score — “undefined,” “negligible,” “limited,” “important” and “maximum” — based of the “gravity” and “probability” of each risk. The software then generates a “risk map” that shows the relative location of each risk on an x-y axis, with the y-axis showing a risk’s seriousness and the x-axis showing a risk’s likelihood. The risk map should differentiate between planned, existing and corrective measures, but how this feature works is not readily apparent. The software also includes a section for creating an action plan.
A reviewer can provide the following evaluation criteria for each section of the PIA: “to correct,” “improvable” and “acceptable.” If either the “to correct” or “improvable” options are selected, the reviewer can provide comments. A PIA cannot be validated (presumably by the data protection officer) until each question is reviewed and set to “acceptable.”
The CNIL’s PIA software is not the only or necessarily best method for completing a PIA. Developers will no doubt improve and better automate the CNIL’s tool, which the CNIL encourages, or use the CNIL’s tool as a springboard for creating their own collaborative PIA tools.