2020 continues to be an eventful and challenging year for privacy professionals. In-house privacy functions are under pressure to keep up as organisations respond and adapt to a much-changed working environment brought about by COVID-19. Innovation in data-driven services, covering growing trends such as employee monitoring, behavioural analysis and monetisation of consumer activities, continue to challenge legislators and regulators.

Despite budgetary and business continuity pressures, privacy functions still need to respond to compliance risks and considerations in a targeted, efficient and effective manner. A well-designed and flexible privacy impact assessment (PIA) framework can give organisations the tools to respond to these new pressures, covering short-term changes and longer-term data strategies.

Key takeaways

• As a degree of stability emerges on the horizon for businesses and more people begin to return to the workplace, organisations must understand the impact of the last few months of operational changes. Privacy impact assessments (PIAs) can deliver frameworks that give stakeholders a holistic understanding of how the business uses data and support steps to retrospectively assess changes in business services and operations.
•  PIA frameworks are customisable and can be complemented by data transfer impact assessments (DTIA), which are particularly relevant to privacy functions in light of the Schrems II ruling that has raised new questions about the validity of EUUS data transfers.
• A&M’s regulatory expertise and strong operational heritage help us deliver bespoke and robust PIAs and DTIAs, delivering value to technical teams and boards alike.

Why do we need PIAs?

PIAs have increasingly become a fundamental component of privacy and compliance frameworks.

PIAs allow organisations to anticipate and address the future privacy consequences of any changes in data processing. This could involve new projects, system migrations, changes in vendor, product launches or service upgrades. Organisations are taking on an increasingly wide range of activities involving the collection and management of personal data. Accordingly, the potential for significant reputational damage and regulatory sanctions has also grown.

The EU’s General Data Protection Regulation (GDPR) has also driven more detailed evidence-based assessments of personal data usage. In particular, the GDPR has mandated that organisations perform a documented data protection impact assessment (DPIA) in prescribed circumstances where there is a high risk to individuals. DPIAs and PIAs can complement each other and incorporate other compliance activities such as legitimate interest assessments (LIAs): for more on this subject, read our recent post on ‘Fraud Investigations – Reliance on Legitimate Interests’.

What makes a good PIA?

An effective PIA framework should be efficient, user-friendly and relevant. Perhaps most importantly, it should help the organisation deliver on four key outcomes:

1. Understanding why, how and what personal data will be involved or will change across the data lifecycle;
2. identifying, prioritising and quantifying any potential privacy risks and compliance issues;
3. determining where appropriate remediations or mitigations (including adopting less privacy-intrusive alternatives) can be contemplated; and,
4. providing a record of the assessment itself and how privacy risk and compliance has been considered in relation to the activity.

Ideally, PIAs should be performed at the outset of a new activity, or before changes to an existing activity, to help ensure issues are identified and addressed before personal data is processed in a new or different way. An overly complex, time-consuming or restrictive PIA framework is likely to be counterproductive, undermining engagement with the process and reflecting negatively on the privacy function.

Unpredictable privacy challenges: COVID-19 and Schrems II

The events of 2020 have demonstrated the difficulty of predicting where privacy challenges will emerge next. In particular, COVID-19 and the CJEU’s Schrems II ruling have created new operating environments for privacy professionals and management teams. DTIAs and PIAs can help organisations respond to these still-developing risks.

Schrems II has left many privacy teams seeking to reassure anxious executives concerned about their regulatory and fiduciary exposure. It is essential that organisations put in place a practical response to assessing these risks. For many organisations, particularly multinationals, a data transfer impact assessment (DTIA) could serve as a logical next step and an evolution of existing PIA frameworks.

A DTIA should address the issue central to the Schrems II case – whether data importers can provide sufficient safeguards for personal data, particularly considering the impact of local laws and regulations, including possible government surveillance and powers to request personal data of EU citizens. In this regard, a DTIA should take into account:

• the data protection laws in the jurisdiction where the data importer is based;
• the national laws permitting access to personal data by public authorities, government bodies and law enforcement agencies;
• rules regarding onward data transfers;
• enforceability of individual rights and judicial redress; and
• the existence of a national supervisory body for overseeing those rules and any international commitments that jurisdiction has entered into impacting upon the protection of personal data. 

Likewise, in responding to the challenges of COVID-19, many organisations have put in place significant changes to working patterns. More services and operations have migrated online; remote-working arrangements are now widespread; and employers may be collecting more health-related information about employees and/or customers. Organisations may also have been tempted to deploy software to monitor productivity of their remote-working employees.

It is important that organisations do not lose sight of their regulatory obligations and ignore the privacy risks posed by these activities. Effective PIA processes help organisations assess and address privacy risks by:

• Scoping and triaging processes to focus efforts on the highest risk activities;
• Identifying triggers for risk assessments and other regulatory considerations;
• Integrating risk and compliance processes to reduce the number of assessments for enterprise-wide responses and measures; and
• Providing a framework to address differing stances of national data protection authorities in responding to events with cross-border implications like COVID-19 or Schrems II.

In the urgency to maintain business continuity, organisations may have implemented some measures at pace and without the usual level of scrutiny by the privacy function. There are also scenarios where measures anticipated to be in place for weeks, have had to be maintained for much longer.

Organisations may need to undertake retrospective DPIAs and PIAs to assess the privacy risks presented given the likelihood of many of these changes becoming longer term or even permanent as we enter a ‘new normal’. This will be particularly important with respect to staff productivity and attendance monitoring, increased collection of employee and customer location and health data, and disclosing data to external parties like public authorities and health bodies.

How A&M can help

We have extensive experience helping clients design, improve and manage PIA processes, tailored to match each organisation’s requirements.

PIA process design and improvement

• Configure a PIA framework based on an organisation’s risk appetite, available resources, and compliance maturity;
• Integrate with existing risk, compliance or operational processes, and incorporate privacy technology and automated compliance solutions;
• Improve existing risk management processes (like hand-offs between the business and risk assessors, effective triaging of risk, and/or remediation tracking); and
• Refine assessments and/or add specific modules to address particular issues, such as data ethics or AI governance, or to update assessments of evolving risks like cross-border data processing or legitimate interest tests.

Supporting implementation

• Develop and deploy clear guidance and instructions for business users;
• Deliver training, workshops and awareness sessions to key groups;
• Test and pilot assessment materials and workflows with targeted user groups; and
• Integrate with relevant risk and compliance reporting, document management, record-keeping and case management tools.

Dedicated support for complex assessments

We also support clients in a range of sectors in designing frameworks and carrying out assessments for complex activities and projects including digital transformation, M&A transactions and operational restructuring. We can also implement short-term programmes to address assessment backlogs and surges in demand. 

A&M: Leadership. Action. Results.

A&M’s privacy and data compliance practice focuses on supporting clients to navigate the evolving and complex data protection regulatory landscape to develop and implement solutions to address these challenges.

We offer specialist advisory and consulting services on international and cross-border privacy, data protection, secrecy and related laws and sectoral rules. Professionals within the practice include former consultants, regulators, data protection officers and certified information privacy professionals who are skilled at aligning and implementing complex regulatory requirements within operational processes and settings.