We are often tempted to reuse a significant portion of existing solutions and processes when information systems are forced to adhere to new regulatory requirements. This is usually not prevented and indeed advisable in many cases; nevertheless in the case of the new GDPR any simple and hasty approach would seem unsuitable and misleading. This especially because the GDPR brings a specific fulfillment which helps to address adequacy and an opportunity for evaluation of solutions. This is the case of the PIA which, practically, is a guidance for evaluating in advance impacts, or damages, that would be envisaged by a process, and therefore by a company, if data protection measures were violated. It is only through this phase and its relevant outputs that solutions can be demonstrated as adequate, both for the existing and for planned ones, and residual or effective risk can be estimated. According to new prescriptions, for those who never managed it, must the PIA be readily performed and extended to the whole processes, including existing solutions and operations, and forever maintained?
It should be mentioned that the PIA process entails the opportunity of a pre-assessment phase to evaluate the need for deeper or slighter following evaluation phases. However some considerations seem appropriate at a general level: some of the activities on which the PIA process is based should be retained despite the DPS document was no longer required since Feb 2012 (among these: data and processing mapping, planning and deployment of technical and organizational data protection measures, an overall estimation of the risk reduction etc.).
Since it would be unfeasible to fully review all the internal services and processes treating personal data and, at the same time, to carry out PIAs on all these processes, it seems appropriate to suggest the following:
– to start a PIA process since the initial phases of new projects,
– to keep into account the projects and the deployment plans for enhancements on existing products or services to combine them to advanced impact analysis,
– to monitor processes or operative phases known as most exposed to data protection risks,
– to apply PIAs to existing processes in case new technical solutions are made available, new vulnerabilities are made known or deficiencies are discovered at industry level,
– to constantly maintain over time a relevance and suitability verification over the performed evaluations and their assumptions.