GDPR: Mandatory Privacy Impact Assessments

Written by Natalie Bluhm on December 8, 2017

Share This Article

Over the last 20 years, technology has changed dramatically. First and foremost, the internet and how people use the internet has completely transformed. More personal data is being used in revolutionary new ways – which brings with it significant benefits and risks. In response, European Union (EU) data protection laws have been revisited to address this modern internet usage, resulting in the EU parliament approving the General Data Protection Regulation (GDPR) in April 2016. On May 25, 2018, the GDPR becomes enforceable; however Gartner predicts “that by the end of 2018, more than 50% of companies affected by the GDPR, will not be in full compliance with its requirements.” There is still time to achieve compliance, and some of the GDPR components might already be in place in your organization. One component of the GDPR is a mandatory Privacy Impact Assessment (PIA) in certain scenarios involving data collection and processing.

This post will further explore this component to the GDPR. If you are more interested in a general overview of the GDPR, consider browsing our overview of GDPR and JumpCloud or this official website instead. The GDPR also introduces some new terminology, and this GDPR definition page explains the meaning of those terms.

Mandatory Privacy Impact Assessments (PIA)

GDPR Privacy Impact Assessments

Privacy Impact Assessments demonstrate how an organization handles personal information and how an organization works to secure that information and maintain its privacy (TechTarget). GDPR is requiring controllers to carry out a PIA in these particular circumstances (GDPR Art. 35):

  • Using new systems or software for processing data.
  • Processing is likely to result in a high risk to the data subject’s rights and freedoms.
  • Data collection involves systematic monitoring of a publicly accessible area on a large scale.
  • A large scale project involves collecting data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetics, biometrics, or health.
  • A large scale project collecting personal data relating to criminal convictions and offenses.
  • A project might produce decisions and legal effects concerning the natural person or significantly affect the natural person.

If a controller’s data project doesn’t meet any of these circumstances, it’s still important to be aware of the situations when a PIA is required because a future project might trigger the need for one. If you foresee any future projects triggering the use of new technology or special categories of data, you might want to consider having a PIA process in place.

GDPR compliance

Under certain circumstances, controllers and processors are required to have a data protection officer (DPO). Controllers that have a DPO, need to seek out the data protection officer’s advice when carrying out a Privacy Impact Assessment. When an assessment is carried out, it has to include the following (GDPR Art. 35):

  • A look at the risks to the rights and freedoms of data subjects.
  • The necessity and proportionality of the processing operations in relation to the purposes.
  • How risks will be addressed, and what measures are being taken to protect personal data.
  • How the processes for a project meets GDPR compliance.

The GDPR’s stipulations for a Privacy Impact Assessment highlight the GDPR’s end goal: protecting and empowering all EU citizens when it comes to their data privacy, and harmonizing how organizations approach data privacy and security in the EU.

Security and privacy have always been essential to JumpCloud, and JumpCloud will be GDPR compliant by May 2018. So, where does JumpCloud fall in the GDPR’s mandatory PIA?

JumpCloud and GDPR’s Mandatory Privacy Impact Assessments

JumpCloud doesn’t meet any of the categories where a PIA is required. The minimum amount of data needed to interact with our platform includes a phone number, company information, and email address. We also work to create a personalized experience within our service and platform, and to create that experience we collect IP addresses and use cookies. We don’t use any new technology to collect this data, and we don’t collect any data that is part of the GDPR’s special categories as listed above.

This all being said, JumpCloud does regularly discuss internally what data is being collected, why it is being collected, and whether we could potentially collect less data without impacting our ability to successfully deliver our services and support.

For more information on JumpCloud’s GDPR compliance, please visit this page or contact us with any questions. Curious about our directory services? Sign up for a free account and explore all of our features. Your first ten users are free forever.  

Continue Learning with our Newsletter