What can the California Privacy Protection Agency learn from the EU experience as it gets ready to draft regulations regarding DPIAs? Here is a recap of my remarks from the CPRA Regulations Stakeholder Session:
1) Don’t reinvent the wheel: Lean on the specificity in the VA and CO laws as a start, and on the detailed work that has been done in the EU.
This is faster to get off the ground and in front of companies looking to comply. It also provides more legal certainty, and is helpful to multinationals who can leverage EU work they have done.
2) Provide clear guidelines for when a DPIA is needed.
Provide a decision tree if possible. Don’t be too specific. (For example: The European Data Protection Board rejected a member state blacklist that required a DPIA just for processing sensitive information or cross border transfer Consider also providing a “white list” where a DPIA would not be needed. Provide guidance on when to revisit the DPIA (eg. technological advances, changes in processing, post M&A acquisition). Define the input that service providers can provide to assist the business. (Consider issuing guidance encouraging/expecting assistance from the large providers – especially for transparency.) Provide guidance on how to integrate with other risk assessments.
3) Provide clear, but not too complicated, guidelines for how to carry out a DPIA.
Leverage the EU Models: ICO, CNIL (with the taxonomies), NL, ES, DE, and/or ISO 29134 (updated). Leverage ISMS and built the Privacy MS on top.