After Reference by Article 29 Working Party, ISO publishes ISO/IEC 29134:2017
The International Organization for Standardization (ISO) recently published its ISO/IEC 29134:2017 framework “guidelines for privacy impact assessment.” The framework includes guidelines for “a process on privacy impact assessments, and a structure and content of a PIA report,” and is designed to be “applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.”
ISO states that the framework is “relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.”
The Article 29 Working Party Guidelines on DPIAs
These guidelines may be of particular interest to organizations governed by the EU General Data Protection Regulation (GDPR), as the Article 29 Working Party (WP29) references the framework in its “Guidelines on Data Protection Impact Assessments (DPIA) and determining whether processing is ‘likely to result in a high-risk'” under the GDPR (the Guidelines). The WP29 notes the ISO 29134 as an international standard taken into account by the Guidelines, and as an “international standard [that] will also provide guidelines for methodologies used for carrying out a DPIA.”
While ISO 29134 are guidelines only, the fact that they are referenced twice in the WP29 Guidelines could shed more light on understanding what exactly European supervisory authorities expect to see from data controllers in performing DPIAs under Article 35 of the GDPR.
How OneTrust Helps
OneTrust helps operationalize privacy by design in order to comply with GDPR requirements. Our automated privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) are designed to increase organization-wide adoption through role-based templates and self-service tools that are integrated into project lifecycles. All privacy projects across the organization are consolidated into a central dashboard for a complete record of data protection activities.
OneTrust provides a comprehensive library of customizable assessment templates, built by in-house privacy experts and incorporating industry best practices and regulatory guidance, which can then be tailored to fit your specific organizational workflows.