On Privacy Impact Assessment
Data protection impact assessments (DPIAs), or privacy impact assessments (PIAs) as they are also more known in the Philippines, can be used by companies to identify and address any data protection issues that may arise when developing new products and services or undertaking any new activities that involve the processing of personal data.
Conducting a PIA is recommended as part of an organization’s security incident management policy.
According to NPC Circular No. 2017-03, a PIA should be conducted for both new and existing systems, programs, projects, procedures, measures, or technology products that involve or impact processing personal data. For new processing systems, it should be undertaken prior to their adoption, use, or implementation. Changes in the governing law or regulations, or those adopted within the organization or its industry may likewise require the conduct of a PIA, particularly if such changes affect personal data processing.
Note, however, that the PIC or PIP may forego the conduct of a PIA only if it determines that the processing involves minimal risks to the rights and freedoms of individuals, taking into account recommendations from the DPO. In making this determination, the PIC or PIP should consider the size and sensitivity of the personal data being processed, the duration and extent of processing, the likely impact of the processing to the life of data subject and possible harm in case of a personal data breach.
Conducting a preliminary review by the DPO whether the processing involves minimal risks or not, and thus would require a full-blown PIA or not, is sometimes called “threshold analysis”.
It is highly recommended (read: mandatory) to do a PIA if:
It involves high risks to the rights and freedoms of individuals;
It involve a major project in your organization;
You are processing sensitive personal information on a large scale;
You are using profiling or automated decision making; or
You are processing personal information of high risk or vulnerable group of individuals, such as senior citizens, PWDs. or children.