New guides for carrying out PIAs (Privacy Impact Assessments) have been published by the CNIL. The method will help data controllers to implement Privacy by design.
A PIA (Privacy Impact Assessment) relies on two pillars:
– The fundamental principles and rights, “non-negotiable”, fixed by law and that have to be complied with. They may -not be modulated, whatever the nature, severity and likelihood of the risks;
-Privacy Risk Management, which allows to determine the adequate technical and organizational controls to protect personal data.
To implement those two pillars, the approach consists in 4 steps:
Context study: define and describe the processing(s) of personal data under consideration, its(their) context and stakes;
Controls study: identify existing or planned controls (those to fulfill the legal requirements, and those to treat the privacy risks);
Risks study: assess the risks that are related to the security of data and that could have impacts on individuals’ privacy, in order to check if risks have been treated adequately ;
Validation: decide whether to accept the manner in which it is planned to fulfill legal requirements and to treat risks, or to reiterate the previous steps.
More details can be found in the following documents:
http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology-EN.pdf
http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-2-Tools-EN.pdf
http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-3-GoodPractices.pdf