Not too long ago, privacy was an after-thought. Something that most customers and companies weren’t overly concerned about.
Now, most consumer concerns around connected devices include privacy breaches and unauthorized information gathering. Company privacy departments have grown from one person to an entire staff.
Conducting a Privacy Impact Assessment (PIA) is a common process to ensure consumer data is collected safely and transparently while mitigating risk for the organization.
Risks are identified and assessed while privacy and security teams act to minimize privacy risks for specific products, services, and systems.
The assessment serves to help companies see where they stand in terms of privacy practices, thereby also helping companies protect consumers’ personal data
Big data presents many commercial business opportunities but must be mined safely. Several high-profile companies have made headlines for privacy breaches, and although it’s possible to recover, it can be a long and slow process.
Businesses of all sizes should consistently conduct PIAs. For companies that want to be around long-term, data privacy is not an option.
Consumer Privacy Concerns
In the past, TrustArc conducted numerous surveys asking people about their thoughts regarding smart technology, connected devices, and privacy issues.
It’s clear from our surveys and external research that consumers are concerned about privacy, and businesses need to alleviate those concerns.
- 65% of American consumers say they are slightly or not at all confident that personal data is private.
- 96% of Americans agree that more should be done to ensure that companies protect consumers’ privacy.
- 62% of smart product owners worry about the potential loss of privacy.
A company’s privacy team is responsible for ensuring that the organization uses personal data ethically and in a way that’s consistent with the company’s privacy policy.
Before Starting a Privacy Impact Assessment
To handle personal data, organizations must be as transparent as possible with customers while providing notice about how they will use customer data.
If you give customers choices and control over how their personal data is used, they’re more likely to provide information and trust the organization.
Examples of personal data include contact information, social security numbers, driver’s licenses, financial account information, individually identifiable health information, log-in credentials, device IDs, browsing habits, and personal preferences.
Many businesses collect data without even thinking about it. Nevertheless, it’s vital to be aware that you’re collecting this information and ensure its protection.
PIA Budget and Timeline
Agree on a budget and clarify the PIA expenses to be incurred throughout this process before you start. Factor in the ROI of reducing the company’s risk.
These expenses typically include consulting fees, tools to automate the assessment process, and employee labor to conduct the assessment.
For start-ups, employees sometimes abandon the process to put-out fires and launch other projects. All companies to set realistic timeframes and schedule regular meetings to monitor assessment progress.
The privacy office will need an adequate number of employees to support the PIA process, which needs cross-department support on occasion. Assembling the right PIA team is essential to conducting a successful assessment.
Some of the members a PIA team should include are:
- An executive responsible for the budget for the PIA – perhaps the CISO, CIO, DPO, CPO, or CTO.
- Privacy office staff to lead the effort and track daily progress.
- Product managers, IT managers, and marketing managers.
- Members of the company’s legal team who are experts in data privacy.
- External privacy consultants to offer outside perspective and help ensure compliance.
6 Steps for Conducting Privacy Impact Assessments
- Identify the need for a PIA with a Privacy Threshold Analysis
- Describe the data flows by data mapping
- Identify and assess privacy risks
- Identify and evaluate the solutions (remediation)
- Sign-off and record PIA outcomes
- Integrate the PIA outcomes back into the PIA plan of record
Conducting a PIA is an efficient way for a company to evaluate its privacy practices and pinpoint any weak areas.
Starting a PIA
The first step in the PIA process is identifying the need with a Privacy Threshold Analysis.
Analyze each business asset and the privacy concerns surrounding those assets to determine the potential privacy impact.
The questions in the threshold analysis are high-level, and the answers will determine which assets collect data in a way that needs further analysis.
If the answers to the threshold analysis demonstrate that personal data is collected and used in a manner that requires further analysis, then the privacy team will fill out a PIA questionnaire.
This questionnaire is more specific regarding the nature of data collection and other data practices. This initial process helps determine the scope of the assessment.
Answers to the assessments analyze the collection of personal data, the sources of information collected, the intended use of the information, if it’s shared with any third parties, and the mechanism for individuals to grant or decline their consent.
Meticulously examining high-level privacy practices from the very start of this process will ensure the accuracy of the PIA. Going forward, the PIA will dive deeper into a company’s privacy practices.
Describe Data Flows with Data Mapping
The second step of a PIA is to describe the information flows, also called data mapping.
Using a data map, organizations can ensure executives – in addition to the privacy team – know how data flows through their organization.
By examining the data map, those conducting the PIA can focus on how data flows into, through, and out of an organization – and identify any gaps where data is not protected.
Data mapping also precisely answers why data is collected, where it’s stored, who can access it, and other important questions.
Identify and Assess Privacy Risks
The third step is to identify and assess privacy-related risks. After creating the data map, it can become easier to identify where potential risks in the data collection process are for the organization being assessed.
To start identifying risks, examine:
- where notice and choice to an individual are not adequate
- when security controls are insufficient
- and when data quality is compromised
This step helps communicate to executives and stakeholders the exact privacy risks that the organization could face.
Remediation
Step 4 is to identify and evaluate solutions for privacy gaps that were discovered in the initial steps. Experts should create a remediation plan and determine which features must be implemented.
Prioritize outstanding privacy risks that need to be addressed and changes to any privacy policies, procedures, or processes. Some risks will require escalation to executives with the authority to execute the solution.
Follow the documented remediation plan so you can later demonstrate how the organization address known privacy risks.
Sign-off and Record PIA Outcomes
The remediation plan from step 4 is recorded for future use as the PIA plan of record. A compliant business will document the problem and solution in detail, except for data covered under the non-disclosure agreements.
The main value of the plan of record lies in keeping it accessible and useful for the next time the same product or activity is up for review or if a problem arises. Maintain the plan to preserve its value.
Integrate Outcomes Into the PIA Plan of Record
The final step is to integrate the outcomes back into the PIA plan of record. Essentially, to fill the identified gaps.
This document lists the people responsible for overseeing the remediation effort and clarifies the steps required to remediate risk.
Don’t miss the opportunity to record the lessons learned to reduce the risk of future issues. A carefully maintained PIA plan of record details the ground that has already been covered and reduces the risk in future efforts to gather information.