The Next Generation in Accountability Based Privacy Impact Assessments (PIA/DPIA)
PIAs have been around for decades and mandatory in many jurisdictions. Article 35 of the GDPR, states that a DPIA is necessary only for high-risk scenarios. However, it is difficult to find an automated PIA solution that has run successfully for three or more years due to lack of business unit motivation and resource constraints of the privacy office. Leveraging years of research, and supported by Nymity’s thought leadership and innovation, Nymity ExpertPIA™ is the most labour-saving technology solution for privacy management.
Avoids unnecessary documented non-compliance
Nymity ExpertPIA™ focuses on mitigating risk first and foremost. It borrows from the concepts of privacy by design and it leverages the risk mitigation efforts in existing policies, procedures and other accountability mechanisms. When risk is mitigated from the onset there is very little risk of details related to non-compliance being documented. The traditional approach uses questionnaires which solicit information looking for non-compliance, which results in documenting non-compliance. Of course, the organization will mitigate this risk, but the documented non-compliance is discoverable should there be an investigation.
Ensures Just-in-Time Accountability Mechanism™
Through the use of appropriate policies, procedures and other accountability mechanisms the Nymity ExpertPIA™ instructs the business what to do. It doesn’t ask the business questions about what they are doing or plan to do. This approach leverages the expertise of the Privacy Office/DPO as part of the role of the Privacy Office/DPO is to mitigate the risk on an ongoing basis, through policies, procedures, guidelines and other accountability mechanisms that contain the rules and instructions on how the business is to process personal data. To create these policies and other accountability mechanisms, they must first understand compliance requirements, take into consideration risk to the organisation and to individuals, when needed seek expertise from outside sources and use software tools such as Nymity Research™ and Nymity Templates™. If/when the law, risk or business changes, the Privacy Office/DPO updates the accountability mechanisms accordingly to reflect compliance and risk in the changed scenario. In some jurisdictions, for example, those subject to GDPR, creating and using accountability mechanisms are required by law. This solution applies the concept of Just-in-time Acountability Mechanisms™ which results in the right policies and accountability mechanisms being provided to the business at the appropriate time.
Turns Privacy Impact into a positive
Nymity ExpertPIA™ incorporates a simple but powerful concept: it focuses the business and the PIA on the benefits to individuals when processing personal data. Doing so has huge advantages to the organization. First, from a project reporting standpoint, every project involving processing of personal data can start with a report articulating the benefits to individuals. Second, aggregating the benefits for all projects enables the reporting of benefits to individuals by country, or by department even at an organizational level and it can be done over time. Benefits can be to employees, customers or in some cases to society. Third, focusing on benefits to individuals will result in better policies being created. The policies used over time will influence the culture of the organisation to focus on benefits to individuals, ultimately enabling the organisation to do more processing of data.
Enables Agile Accountability™
Nymity ExpertPIA™ results in repetitive use of appropriate policies and other accountability mechanisms by the business and the business engaging the Privacy Office/DPO each time the policy or other accountability mechanism does not address any unique aspect of new planned processing. This enables the Privacy Office/DPO to identify enhancements to existing accountability mechanisms and, when required, create new ones. It is unlikely the Privacy Office/DPO can update data policies frequently but they can share pending potential enhancements in policies through the Just-in-time Accountability Mechanisms™. This results in demonstrable and up-to-date accountability mechanisms which is always beneficial if subject to an investigation and critical if the organisation is subject to the GDPR as it is the law. Continuous improvement of accountability mechanism results in Agile Accountability™.
Nymity ExpertPIA™ results in the repetitive use of policies and other appropriate accountability mechanisms by the business. These mechanisms, for example a marketing policy, are written in business terms and understandable by the business. Each time the business uses the appropriate accountability mechanisms their expertise in the subject matter of the policy will increase. Over time, they will become very knowledgeable of what is required related to processing data.
Better assessments through Accountability Effectiveness Assessments™
Nymity ExpertPIA™ mitigates risk upfront based on concepts of privacy by design enabling an assessment to take place after the risk has been mitigated. When the assessment is conducted after the risk has been mitigated, the assessment involves assessing the effectiveness of how well the business mitigated the risk. In other words, assessing how effective the accountability mechanism where applied to the processing involved in the project. This is more effective than assessing the risk before mitigating the risk (as happens in the traditional approach, i.e. through questionnaires). The solution is very scalable as the assessment can be completed by the business itself, the privacy office, or audit function. Further scalability includes the assessment being broken down into specific components, for example assessing the security posture or the retention policy. As the assessments are based on the accountability mechanisms, the Nymity ExpertPIA™ enables Accountability Effectiveness Assessments™.
Creates discoverable and documented compliance
Nymity ExpertPIA™ enabling of the risk mitigation through applying policies and other accountability mechanism results in the business deciding and applying the appropriate accountability mechanism. These polices and other accountability mechanisms become documentation that serve as evidence of compliance. In other words, the business can show they complied with the policies, procedures and other mechanisms for this processing and now has discoverable evidence of compliance. In an investigation of any kind, the business has a defensible position as the documents now serve as evidence that the business is accountable.
Avoids documenting high-risk processing, unless required by law
Nymity ExpertPIA™ focuses on upfront risk mitigation and identifies high-risk processing, when high-risk processing is defined by law (e.g. GDPR). The outcome is no documented high risk unless required by law. Potential discovery will uncover all the efforts the organization has implemented to minimize risk.
Save time with turn-key content rather than a shell of questionnaires. Questions are delivered contextualized to jurisdiction, department, product, process and system.
Accountability Mechanism Catalogue (PbD)
Maintain a catalog of all your organisation’s policies, procedures, guidelines and other mechanisms that have been developed throughout the organisation to minimise privacy risk.
Includes up-to-date DPIA Auto-Triggers™
Nymity ExpertPIA™ automates the complicated criteria for conducting a DPIA. DPIA criteria can vary by country and by Supervisory Authority, is dynamic and can change over time. Nymity ExpertPIA™ leverages Nymity's ongoing research which is conducted by our dedicated team of 15+ privacy experts. As such, it automates the criteria to trigger the need for a DPIA and when appropriate, alerts both the business and the Privacy Office/DPO. In fact, when the criteria changes (as it will), the Privacy Office/DPO will be notified of previous processing that are impacted by the new criteria.
On-demand Compliance Reporting™ for Article 35 (Data protection impact assessments) – with drill-down evidence
Nymity ExpertPIA™ automatically generates a wide variety of reports of value to the business including reports that meet legal and regulatory requirements and produces them on-demand (as required by some laws including the GDPR). Should an investigation occur, the solution supports regulatory inquires related to data location, data transfer mechanism, legal grounds for processing, risk to individuals, purpose, data type, DPIA criteria, data recipients, data subject, retention periods and which appropriate technical and organisation measures are in use and where. In fact, report on any combination of the above.
Includes an Accountability Balancing Test Support™
Nymity ExpertPIA™ captures key data necessary to conduct the balancing test when using legitimate interest as a legal grounds for processing. For example, every PIA identifies the benefits of processing to individuals and the potential harms to individual that have been mitigated two key elements of the balancing test.
Potential Legitimate Interest Processing™ support
Nymity ExpertPIA™ enables new processing based on purposes. The Nymity research team maintains an expert knowledgebase of processing purposes and the solution produces reports that suggest new processing for the business that they may not be aware was possible based on the current data set where legitimate interest might be used as legal grounds for processing. Also, when the business is planning a new project the solution will identify its potential eligibility for legitimate interest as a legal grounds.