CNIL Releases Guides Regarding Privacy Impact Assessments

In anticipation of the forthcoming General Data Protection Regulation, the French data protection authority (the “CNIL”) published two Privacy Impact Assessment Guides. The guides are a follow-up to the CNIL’s 2010 and 2012 security publications. The first concerns the methods to be adopted by data controllers in conducting the privacy impact assessment (PIA); the second concerns the templates and samples for the PIAs.

The guides are based on two main pillars: (i) the fundamental principles and rights fixed by law that must be complied with; and (ii) the Privacy Risk Management, which allows to determine the adequate technical and organizational controls to protect personal data. The guides set out a four-level PIA procedure which provides for the: (i) context study (defining the processing of personal data, context and stakes); (ii) controls study (identification of planned measures); (iii) risk study (analysis of risk to data security); and (iv) validation (strategy validation, taking into account the manner with which to fulfill legal requirements and to treat risks). While “in theory” there is no obligation to carry out PIAs, the guides note that a PIA must be kept available to the data protection authorities and that there may be legal obligations to carry out a PIA – for example, in the event the lack of a PIA contributed to a security breach.

TIP: The CNIL guidance, while not required, can help companies with their French data security obligations and are useful to understand what is expected by the CNIL of companies operating in France.