PIA tool

The General Data Protection Regulation (GDPR) requires that organisations carry outData Protection Impact Assessments (DPIA or PIA) prior to starting a likely risky processing operation. The PIA tool is a free and open source software tool, available as a standalone and “server” version. It helps organisations to conduct PIAs by guiding them through the process step-by-step, and thus to demonstrate compliance with the GDPR.

Innovation Summary

Innovation Overview

The GDPR became applicable in May 2018. While increasing the general awareness on data protection and privacy issues, it also places new regulatory pressure on organisations processing personal data. Organisations are now required to carry out Data Protection Impact Assessments (DPIA or PIA) before starting processing operations likely to result in a high risk on the individual.

Since carrying out a PIA is a complex matter, the CNIL has developed guidance and a software tool to help public and private organisations.

The PIA tool is part of a global PIA initiative developed by CNIL. It includes (https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides) :
- a PIA method, models and a code of practice, published in 3 guides which are based on the regulation and leading practices (https://www.cnil.fr/en/PIA-privacy-impact-assessment-en);
- frameworks adapting the method to specific business activity context (such as internet of things: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf) and giving specific guidance;
- case studies providing practical examples rolling out the method (https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-captoo-fr.pdf);
- a software tool to carry out PIAs by unfolding the method step-by-step and which includes the aforementioned materials by providing contextual information, and by including the use cases as examples in the tool (https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment).

Within this global offer on PIA, the software tool’s development process has also followed an innovative approach. It was based on a design thinking methodology, involving potential users in the making process through several discussion and testing sessions. From those have arisen the following three principles: a step-by-step approach to PIA, contextual content and modularity & openness.

Indeed, the tool unfolds progressively the PIA method developed by the CNIL. It allows the user to easily understand the method, the regulatory requirements, and the leading practices. To do so, the tool relies on a user-friendly interface that allows to simply carry out PIA as well as easily manage them. This step-by-step approach is completed with several visualisation tools that offer ways to quickly understand the risks associated with the data processing.

Additionally, the tool’s content takes into account the whole regulatory framework as well as norms and best practices set out by standards bodies widely used in organisations. Thus, the tool includes the legal points ensuring the lawfulness of processing and the rights of the data subjects as well as technical and organisational measures to manage and reduce the risks on the data processing.
All this rich information is presented through a contextual knowledge base, available along all the steps of the PIA, which delivers the aforementioned information according to the aspect of the processing studied.

Finally, we adopted a highly modular and open approach to the development of the tool. Since organisations have specific needs depending on their sector of activity, we decided to make the tool as customisable as possible. Therefore, the source code is published under a free licence, allowing for anyone to modify the tool and its features, for easier integration in the information systems of various organisations.

The tool was first released in November 2017, in French and English. Other language versions were submitted by the community and it is now available in 14 languages. The PIA software was downloaded 70 000 times in the first 6 months after it was released. The tool has been widely adopted by the data protection community and used by many organisations, ranging from global corporations to public bodies such as hospitals or local administrations.

Innovation Description

Innovation Development

Innovation Reflections

Supporting Videos

Leave a Reply

Your email address will not be published. Required fields are marked *

Status:

  • Implementation - making the innovation happen
  • Evaluation - understanding whether the innovative initiative has delivered what was needed

Innovation provided by:

Join our community:

It only takes a few minutes to complete the form and share your project.