P.I.A.: Assessing the Impact on Privacy

1) Purpose and scope

Purpose: systematically identify and reduce risks to the rights and freedoms of data subjects when changing the iGaming product/infrastructure.
Coverage: new/significantly changed features, anti-fraud and RG models, implementation of SDK/PSP/KYC providers, data migrations, A/B tests with personalization, cross-border transfers, profiling.

2) When P.I.A./DPIA is required

• Large-scale profiling/surveillance (behavioral analytics, risk scoring, RG triggers).
• Handling of special categories (biometrics liveness, health/RG vulnerabilities).
• Combination of data sets creating new risks (merging marketing and payment data).
• Systematic monitoring of a publicly accessible area (e.g. stream chats).
• Cross-border transmissions outside the EEA/UK (in conjunction with DTIA).
• Significant changes in goals/grounds or the emergence of new vendors/sub-processors.
• If the risk is low, PIA screening and a brief entry in the RoPA are sufficient.

3) Roles and responsibilities

DPO - Methodology Owner, Independent Assessment, Residual Risk Reconciliation, Oversight Contact.
Product/Engineering - initiator, describes goals/flows, implements measures.
Security/SRE - TOMs: encryption, accesses, logging, DLP, tests.
Data/BI/ML - minimization, anonymization/pseudonymization, model management.
Legal/Compliance - legal grounds, DPA/SCCs/IDTA, compliance with local rules.
Marketing/CRM/RG/Payments - domain owners of data and processes.

4) P.I.A./DPIA process (end-to-end)

1. Initiation and screening (in CAB/Change): short questionnaire "does DPIA need? ».
2. Mapping of data (Data Map): sources → fields → purposes → bases → recipients → periods of storage → geography → subprocessors.
3. Assessment of legality and necessity: choice of legal basis (Contract/Legal Obligation/LI/Consent), LIA test (balance of interests) at Legitimate Interests.
4. Identification of risks: threats to confidentiality, integrity, accessibility, rights of subjects (automated decisions, discrimination, secondary use).
5. Risk scoring: probability (L 1-5) × impact (I 1-5) → R (1-25); color zones (zel/yellow/orange/red).
6. Action Plan (TOMs): preventive/detective/corrective - with owners and deadlines.
7. Residual risk: repeated scoring after measures; go/conditioned go/no-go solution with high residual risk - consultation with supervision.
8. Commit and Run: DPIA Report, RoPA Updates/Policies/Cookies/CMP, Contract Documents.
9. Monitoring: KRIs/KPIs, DPIA reviews for changes or incidents.

5) Privacy risk matrix (example)

Probability (L): 1 is rare; 3 - periodic; 5 - frequent/constant.
Impact (I): considers PII volume, sensitivity, geographies, vulnerability of subjects, reversibility of harm, regulatory implications.

6) Set of technical and organizational measures (TOMs)

Minimization and integrity: collecting only the necessary fields; separation of identifiers and events; data vault/ RAW→CURATED zones.
Pseudonymization/anonymization: stable pseudo-ID, tokenization, k-anonymity dla reports.
Security: encryption at rest/in transit, KMS and key rotation, SSO/MFA, RBAC/ABAC, WORM logs, DLP, EDR, secret manager.
Vendor control: DPA, sub-processor registry, audit, incident test, no recycling.
Rights of subjects: DSAR procedures, objection mechanisms, "non-tracking" where possible, human-review for critical decisions.
Transparency: Policy update, cookie banner, preference center, vendor list version.
Quality and fairness of models: bias tests, explainability, periodic recalibration.

7) Communication with LIA and DTIA

LIA (Legitimate Interests Assessment): is carried out if the foundation is LI; includes a test of purpose, necessity and balance (harm/benefit, user expectations, mitigating measures).
DTIA (Data Transfer Impact Assessment): mandatory in SCCs/IDTA for countries without adequacy; fixes the legal environment, the access of the authorities, technical measures (E2EE/client keys), the territory of the keys.

8) DPIA Report Template (Structure)

1. Context: initiator, description of the feature/process, goals, audience, timing.
2. Legal grounds: Contract/LO/LI/Consent; LIA summary.
3. Data map: categories, sources, recipients, sub-processors, geography, retention, profiling/automation.
4. Risk assessment: list of threats, L/I/R, affected rights, possible harm.
5. Measures: TOMs, owners, deadlines, performance criteria (KPI).
6. Residual risk and decision (go/conditional/no-go); if high - a plan of consultation with supervision.
7. Monitoring plan: KRIs, events for revision, connection with the incident process.
8. Signatures and approvals: Product, Security, Legal, DPO (required).

9) Integration with releases and CAB

DPIA gate: for risky changes - a mandatory artifact in CAB.
Feature-flags/canaries: enabling features with a limited audience, collecting privacy signals.
Change-log of privacy: version of the Policy, list of vendors/SDK, CMP updates, date of entry.
Rollback plan: disabling SDK/features, deleting/archiving data, revoking keys/accesses.

10) P.I.A./DPIA Performance Metrics

Coverage:% of releases screened for PIA ≥ 95%;% of risk changes with DPIA ≥ 95%.
Time-to-DPIA: median time from initiation to resolution ≤ X days.
Quality: the proportion of DPIAs with measurable measure KPIs ≥ 90%.
DSAR SLA: confirmation ≤ 7 days, execution ≤ 30; DPIA communication for new features.
Incidents: percentage of leaks/complaints related to zones without DPIA → 0;% of notifications at 72 hours - 100%.
Vendor readiness:% of risky vendors with DPA/SCCs/DTIA - 100%.

11) Domain cases (iGaming)

A) New KYC provider with biometrics

Risks: special categories, jubilation, secondary use of images.
Measures: storage at the provider, strict DPA (prohibition of training on data), encryption, deletion via SLA, fallback provider, DSAR channel.

B) Antifrod behavioral scoring model

Risks: automated decisions, discrimination, explainability.
Measures: human-review for high-impact solutions, explainability, bias audits, cause log, minimizing features.

C) Marketing-SDK/retargeting

Risks: tracking without consent, covert transmission of identifiers.
Measures: CMP (granular consent), server-side tagging, anon-IP mode, contractual prohibition of secondary goals, transparency in the Policy.

D) Responsible Gaming (RG) alerts

Risks: data sensitivity, incorrect flags → harm to the user.
Measures: soft interventions, right of appeal, restricted access, decision log, support training.

E) Data migration to cloud/new region

Risks: cross-border, new sub-processor.
Measures: SCCs/IDTA + DTIA, keys in EU, segmentation of environments, incident test, sub-processor registry update.

12) Checklists

12. 1 PIA screening (rapid)

• Is there solution profiling/automation?
• Are special categories/children's data processed?
• New vendors/sub-processors/countries?
• Are the goals/reasons for processing changing?
• Large volumes/vulnerable groups involved?

→ If yes ≥1 -2 points, start the DPIA.

12. 2 DPIA report readiness

• Data map and RoPA updated
• LIA/DTIA (if applicable) completed
• Measures (TOMs) assigned and measurable
• Residual risk assessed and agreed by DPO
• Policy/Cookies/CIW Updated
• Footprint and versions saved

13) Templates (fragments)

13. 1 Objective statement (example):

"Ensure fraud prevention in withdrawals using behavioral scoring on legitimate interest, with data minimization and human-review for solutions that restrict access to funds."

13. 2 KPI measures (example):

Model FNR reduction by P95 without FPR growth> 2 p.p.
The DSAR response time to new features ≤ 20 days.
Removal of biometrics 24 hours after verification, confirmation log - 100%.

13. 3 Field in RoPA (add-on):

`automated_decision: true | legal_basis: LI | LIA_ref: LIA-2025-07 | dpia_ref: DPIA-2025-19 | dpo_sign: 2025-11-01`

14) Artifact storage and auditing

DPIA/LIA/DTIA, solutions, Policy/banner versions, DPA/SCCs/sub-processor registry, CMP consent logs - store centrally (WORM/versioning).
Audit once a year: DPIA sampling, verification of implemented measures, control of metrics, DSAR test.

15) Implementation Roadmap

Weeks 1-2: implement PIA screening in CAB, approve DPIA template, train owners.
Weeks 3-4: launch Data Map/RoPA, CIW/banner, vendor registers, prepare DPA/SCCs/DTIA.
Month 2: conduct the first DPIA on high-risk flows (CCP/anti-fraud/marketing), link KPIs.
Month 3 +: DPIA quarterly reviews, bias audits of models, leak test drills, continuous improvements.

TL; DR

PIA/DPIA = early screening + data map + legality (LIA/DTIA) + risk and measures assessment (TOMs) + agreed residual risk under DPO control + metrics monitoring. We embed in CAB and releases - and turn privacy into a controlled, verifiable process, and not into "fire work."