Changes in Conducting Data Protection Risk Assessment and After GDPR implementation

Abstract

Based on Article 35 of the EU (European Union) General Data Protection Regulation, a Data Protection Impact Assessment (DPIA) is necessary whenever there is a possibility of a high privacy and data protection risk to individuals caused by a new project under development. A similar process to DPIA had been previously known as Privacy Impact Assessment (PIA). We are investigating here to find out if GDPR and DPIA specifically as its privacy risk assessment tool have resolved the challenges privacy practitioners were previously facing in implementing PIA. To do so, our methodology is based on comparison and thematic analysis on two sets of focus groups we held with privacy professionals back in January 2018 (four months before GDPR came into effect) and then in November 2019 (18 months after GDPR implementation).