What is behind CNIL release on PIA eligible data processing activities?
December 2018 by Anne Lupfer Manager - Information Security, Provadys
The Privacy Impact Assessment (PIA) or Data Privacy Impact Assessment (DPIA) disrupts the work of risk managers, legal experts, project managers, data controllers, and Data Protection Officers (DPO).
The GDPR and the European Data Protection Supervisor (EDPS) (former G29) Guidelines on PIA from April 4th, 2017 deliver new clarifications to identify the criteria and decide whether implement a PIA or not.
The CNIL announced the release of a list of data processing activities where the PIA would be mandatory in order to help the data controllers on this tricky question. The two deliberations of the CNIL published last October were consequently very expected.
What are these releases inputs?
Most of the listed activities do require a PIA, which is not a surprise: they meet at least two criteria based on the GDPR text itself or the EDPS Guidelines. These data processing activities are those dealing with health data in healthcare or health and social matters, genetical data of vulnerable people, and profiling activities which could lead to exclude some people from some services. For some of the listed data processing activities, determining the applicability requires to pay attention to the EDPS recommendations. These kinds of data processing activities are related to the human resources management activities.
Here is an extract of the list published by the CNIL:
Establishing profiles of individuals for HR management purposes (Evaluation or scoring, vulnerable data subjects)
Data Processing activities whose purpose is to constantly monitor the activity of employees (vulnerable date subjects, systematic monitoring)
Whistleblowing systems (vulnerable data subjects, evaluation and scoring, processing of sensitive data).
A common criterion of these three kinds of data processing activities is the manipulation of “vulnerable” people personal data. If you are eager to know why employees are considered as vulnerable, have a look on the EDPS guidelines on the PIA!
Here is what the Guidelines on DPIA teach us:
“Data concerning vulnerable data subjects (recital 75): the processing of this type of data can require a DPIA because of the increased power imbalance between the data subject and the data controller […].
For example, employees would often meet serious difficulties to oppose to the processing performed by their employer, when it is linked to human resources management. Similarly, children can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data. This also concerns more vulnerable segment of the population requiring special protection […]. In a nutshell, one of my colleagues greatly summarised “The vulnerability of a person is admitted when the relationship with the data controller is imbalanced and can prevent someone from exercising his rights”.
A support for data controllers in decision making:
Even if the list is non-exhaustive, it leads to examine again the different cases where the implementation of a DPIA is required.
The list reinforces the framework related to the PIA activity and makes the actors aware of their responsibilities. In some contexts, the list can have a strong effect and can lead to the implementation of a PIA which could have seemed unnecessary. The list can also have a real impact on the GDPR compliance processes in many health facilities, which are still reluctant to implement them due to the extent of the task.
It would also be the case of some Human Resources Departments, which would have wrongly determined the “vulnerability” of their employees. These HR thus have no other choice than meeting their obligations and responsibilities in terms of data protection.
The DPIA is a cornerstone in the GDPR compliance roadmap. It is crucial to ensure data processing activities, especially the new ones, meet GDPR requirements, and it can be provided as evidences, as required by the accountability principle. The DPIA should be systematised, iterative, documented and fully integrated within the company processes.
In any cases, the implementation of a PIA would have a positive impact on the company GDPR compliance.
We recommend to systemically document the decision-making process whatever the output may be. The objective is to provide details on your decision in order to understand why it has been taken. It would also give details on the criteria which led to exclude a data processing activity.
A documented PIA, even incomplete, is a first step in the risk analysis associated to each data processing activity. A PIA would at least be an insight to make strategic decisions.
Provadys is at your side on your way towards GDPR compliance. Provadys is a cybersecurity and data protection consulting, audit and training company. We are qualified by the French National Security Agency (PASSI). Our teams gather expert consultants in security and legal experts who work together to help you to reach your GDPR compliance.
Provadys is present everywhere in France and has offices in Paris, Sophia-Antipolis and Nantes. We have more than 200 active clients located in France and abroad.
Provadys, NetXP and Majj are in exclusive negotiations to build a French independent leader in Cybersecurity, Cloud and Infrastructures topics. The different organisations share the same values, passion and dedication to the employee’s well-being. The merger would lead the new group to expand its services offer, to intensify the R&D activity and to be able to face new challenges. By unifying their strengths, NetXP, Provadys and Majj will be able to meet the organisations’ expectations.