The term assessments appear a great deal in IAF work. We have written about comprehensive data impact assessments, ethical assessments, digital marketing assessments, Canadian assessments and legitimate interests assessments. All these references are part of the same theme; a family of comprehensive assessments of how data is used and how it impacts individuals is necessary to determine if processing is legal, fair and just.
From the earliest days of privacy, there has been an implied requirement that organizations know how they are going to be using data so they would be able to describe the use to individuals. In the 1970’s, the implied requirements were not hard. Prior to data base technologies, data was typically collected and used for specific, straight forward purposes.
By the early 1990’s, information aggregators, such as TRW Information Systems and Services and Acxiom, were beginning to use data for numerous purposes, and the first privacy impact assessments were developed. They were not developed in response to data protection law but rather to avoid reputational risk for the companies involved.
Privacy by design, as a governance discipline, required organizations to fully understand what they were doing with data and why. The growth of accountability based governance did much the same. FTC consent decrees requiring privacy management programs accelerated the assessment process. Canadian regulators took this to the next level with guidance on privacy management programs.
The General Data Protection Regulation, that goes into effect in exactly a year, has made the requirement that one conduct assessments explicit in three ways. One is related to “record keeping” requirements, balancing of interest and the ability to demonstrate many parts of “accountability”. This is the first instance of a legal requirement to in effect perform an “assessment”. Second, in certain areas of processing likely to create risks to individuals, an explicit assessment requirement is noted; one that assesses a broader range of rights and implications than is contemplated in a core Privacy Impact Assessment. Fines are part of potential sanctions for organizations that should conduct assessments but do not. Finally, to determine the legitimacy of processing a “balancing” process is required.
The European Union Article 29 Data Protection Working Party issued draft guidance on Data Protection Impact Assessments and described in detail when such assessments would be required. As part of the consultation process, the IAF provided comments.
The IAF, whose mission is accountability based governance of information processes, sees assessments not just as a legal requirement but rather as the hub or lynchpin of an information governance program. No matter whether a company is justifying the use of legitimate interests as the legal basis for thinking with data or assessing to understand the risks associated with data processing, there are steps that inform the organization, documents accountable processes and that facilitate oversight. This process begins with some common steps:
- a description of the processing that will be conducted;
- the data that will be used for that processing and the obligations that are associated with that data;
- an identification of the stakeholders impacted by the processing;
- the risks to the stakeholders if the processing is or is not conducted;
- the benefits that come from the processing and who receives the benefits.
So, the IAF sees assessments as the central part of effective data protection governance. We see it as the basis for, not just legal fair and just but a core element to assessing the ethical processing of data. We see it as the means of demonstrating compliance. We see it as means of creating confidence in new, innovative uses of data. It is the hub of a forward-looking data protection program.
The threat of fines is a great motivator for creating assessment processes. But in the end assessments should serve a business need in this digital age. Companies should conduct assessments because it sustains and enables their data driven business processes.
Assessments are not easy. They often will raise contentious issues within organizations. They require internal oversight and governance processes to address these issues. But in the end, they will liberate organizations to both enhance shareholder value and let data serve individuals.