What can the California Privacy Protection Agency learn from the EU experience as it gets ready to draft regulations regarding DPIAs? Here is a recap of my remarks from the CPRA Regulations Stakeholder Session:
1) Don’t reinvent the wheel: Lean on the specificity in the VA and CO laws as a start, and on the detailed work that has been done in the EU.
- This is faster to get off the ground and in front of companies looking to comply.
- It also provides more legal certainty, and is helpful to multinationals who can leverage EU work they have done.
2) Provide clear guidelines for when a DPIA is needed.
- Provide a decision tree if possible.
- Don’t be too specific. (For example: The European Data Protection Board rejected a member state blacklist that required a DPIA just for processing sensitive information or cross border transfer
- Consider also providing a “white list” where a DPIA would not be needed.
- Provide guidance on when to revisit the DPIA (eg. technological advances, changes in processing, post M&A acquisition).
- Define the input that service providers can provide to assist the business. (Consider issuing guidance encouraging/expecting assistance from the large providers – especially for transparency.)
- Provide guidance on how to integrate with other risk assessments.
3) Provide clear, but not too complicated, guidelines for how to carry out a DPIA.
- Leverage the EU Models: ICO, CNIL (with the taxonomies), NL, ES, DE, and/or ISO 29134 (updated).
- Leverage ISMS and built the Privacy MS on top.
- Land somewhere between UK and Germany.
- ICO – Very easy to read the model, but there may be issues with wrong implementation (proportionality/necessity assessment component is open ended).
- Germany – Very complex and detailed model which maps the TOMs to the risks. This is helpful, but there should also be an SME friendly model.
- Provide guidance re: risks to consider: Leverage existing harms and risk taxonomies.
- Provide guidance on how to carry out the process: For example, a 3D model that requires you to break the processing down into phases (like: storage, use, modification, sharing) and assets (software, hardware, employees, recipients). And for each phase/asset, assess the likelihood and severity of an infringement of the relevant data protection principles.
- Provide guidance on the process itself and the relevant stakeholders within the company and outside (e.g involving the individuals impacted).
- Provide options/guidance for SMEs.
- Provide/source recommended DPIAs (e.g. in difficult areas like Algorithm impact assessment as discussed by the EU AI Act), which will allow companies to check whether a DPIA was performed in a similar case (The Commission Nationale de l’Informatique et des Libertés (CNIL) has a number of sample analyses. Data Protection Commission Ireland also has recommended a few as “gold standard.”