With GDPR just on the horizon for businesses from across the EU, Privacy Impact Assessment (PIA) handbooks have become a key tool for ensuring that a business is GDPR-ready from day one.
However, as identified by many organisations, not only do these important checkpoints ensure that future platforms, Learning Management Systems and other providers are compliant to these new requirements; but also give every company the tools needed to audit compliance for the platforms already under operation.
By being able to interface with the existing project management and risk management methodologies, take note of these three simple checkpoints on how to take your organisation through the PIA process and prepare your procedures before GDPR comes into effect.
Do I need a PIA?While understanding the value of a PIA may be important for a wider range of business contexts than you may have realised, one of the most important steps for any business should be to best assess whether a PIA is required in the first place.
Overall, while you may need to seek more detailed clarification from your data commissioner, you will most likely need to use a PIA for the following circumstances:
Remember, a failure to ensure this compliance could result in the following:
This means that, if you are an organisation currently interfacing with a platform such as a Learning Management System that may not be fully aware of the consequences of processing certain forms of information within their projects, this not only presents a significant risk to the provider; but also to partners and customer exchanging information back and forth with a non-compliant LMS platform.
The Project Plan: Integrating your PIA OutcomesAfter first checking whether your business falls into one of the circumstances that require a PIA and ensuring that your information flows are described correctly according to these new criteria, the third step you will need to take is to integrate the outcomes of your PIA back into your project plan.
However, when feeding this back into the wider project management process, it is also important to remember that changes to the project during the project lifecycle may require the organisation to revisit the screening questions to ensure that their PIA is still appropriate.
For example, this may be important if your existing project management methodologies are not formed using a fixed set of requirements.Overall, whilst this may seem complex to some businesses, all you will need to remember is the following:
 Barday, K. (2017). PIAs & Data Mapping: Operationalizing GDPR & Privacy by Design. OneTrust- Privacy Management Solutions, 1(1), p.1.
 Conducting privacy impact assessments code of practice. (2017). Information Commissioner’s Office, 1(1).
 Evans, M. (2017). GDPR Checklist- An Overview. Norton Rose Fulbright LLP, 1(1)