Privacy Impact Assessment Best Practices

Privacy laws, whether it’s the GDPR, CCPA, or other state privacy laws, have many requirements in common. One of the most common obligations across the numerous privacy laws placed on businesses is performing a Privacy Impact Assessment (PIA). Domestically, Utah and Iowa are the only state laws that don’t require PIAs.

PIAs are one of the most challenging privacy-related hurdles for businesses to clear. There is often confusion about when PIAs need to be performed, what constitutes potential harm to the consumer, the best strategies for executing the assessments, and how to discover, mitigate, and manage risk.

We want to help clear up that confusion. In this article, we will break down when data privacy impact assessments are required and explore strategies for making them easier to complete.

What is a Privacy Impact Assessment

A Privacy Impact Assessment is a systematic process to assess the potential privacy risks and impacts to consumers of a project, system, or process that involves the collecting, processing, or storage of personal data.

Note that different laws use different terminology. Some state laws use terms such as “Data Protection Assessment” or “Data Privacy Impact Assessment” instead of Privacy Impact Assessment.

When are PIAs Required

Most laws also call for a PIA when processing data presents a significant or heightened risk of harm to the consumer. Some potential harms that are specified throughout the different privacy laws include:

• Financial injury
• Discrimination
• Privacy and data security harms
• Constitutional harms
• Deceptive treatment
• Intellectual privacy harms

Privacy laws provide a broad set of triggers for when an assessment needs to be completed, they typically include a combination of the following actions:

• Targeted advertising
• Selling or sharing personal data
• Processing sensitive information
• Using automated decision-making (AI in certain capacities)
• Processing the data of minors (age range varies by state)
• Processing the data of employees

Each of these actions requires an assessment to be performed and documented.

To add further complexity and risk, many of the states require that PIAs be provided upon request to the authority responsible for enforcing the law. Most often, an assessment cannot be completed in a matter of days. Your business needs to be proactive in completing and documenting PIAs. Do not wait until you receive a request, because your organization will struggle to get the assessment done fast enough.

Privacy Impact Assessment Challenges

Insufficient or Incorrect Information

Gathering the needed and correct information to complete a PIA can be difficult. The data could reside with departments within the organization. Identifying and finding staff members who are knowledgeable about the processing activities is a potential hurdle.

Lack of Support

To finish an assessment, several departments may need to play a role. The privacy team will likely spearhead the project, but they might not know enough about the technology and systems used in the processing activity to handle the project. Other departments such as IT and Development may need to step in, but they may not understand the importance of the assessment or see it as a priority.

What to do When You Find Risky Activities

Organizations need to be prepared to make significant business decisions if the assessment reveals that a processing activity creates more risk than the business is willing to accept. Examples could include developing new policies for data encryption, cutting ties with a vendor, or even stopping a processing activity.

Strategies for PIA Success

Now, in light of wanting to provide solutions and not just point out problems, here are some steps we recommend taking to ensure Privacy Impact Assessments can be conducted successfully:

Define Success

Businesses need to know what they want to accomplish with the assessment. Is the goal to reduce risk to the business and consumers? Is the assessment’s top priority to meet legal obligations under a privacy law? Does the assessment have an associated ROI, such as identifying vendor redundancies that could lead to cutting costs? Do you want to create a PIA document to share publicly along with the document you provide to the regulator?

Educate your Staff

Very few, if any, of your employees would identify PIAs as a top priority for their position. You need to help them understand what a PIA is and why it is important to the business.

Identify Allies

Find people in the organization who can help move the PIA process along. When people with influence in the company and knowledge of the associated technology, such as the IT Director and CTO, emphasize the importance of the assessment, you’re likely to get more buy-in from the staff. Discussing the Privacy Impact Assessments in different committee meetings is also an effective way to spread the message throughout the business.

Assign Responsibilities

Multiple departments in your organization could play a role in the assessment, including Compliance, IT, Legal, Marketing, HR, and Security. Set clear expectations of what is expected and set deadlines for each department.

If your company has a Project Management team, work with them. They will have processes, tools, and expertise for keeping projects on schedule that could be applied to the PIA.

Conclusion

To learn more about Privacy Impact Assessments, listen to this episode of the Compliance Pointers podcast. You can also watch the Overcoming Today’s Biggest Privacy Challenges webinar.

CompliancePoint has a team of privacy professionals that can help your organization complete Privacy Impact Assessments and other privacy-related tasks with better efficiency and effectiveness. We have helped businesses of various sizes, across multiple industries, comply with the GDPR, CCPA, and any other applicable state privacy laws. Contact us at connect@compliancepoint.com to learn more about our services.