Privacy Risk Assessments: DPIAs and PIAs
Once an organization has an initial understanding of its data collection, usage and sharing, the next step is to conduct Privacy Risk Assessments to understand the current and future privacy risks from those practices to the individual consumers and the organization. Organizations can engage in any number of individual or combined reviews in order to evaluate the implications of its business processes on privacy. There are many names for these Privacy Risk Assessments or Impact Assessment, but they are frequently referred to as either a Data Protection Impact Assessment (DPIA) or a Privacy Impact Assessment (PIA).
The purpose of a Privacy Risk Assessment is to provide an early warning system to detect privacy problems, enhance the information available internally to facilitate informed decision-making, avoid costly or embarrassing mistakes in privacy compliance, and provide evidence that an organization is attempting to minimize its privacy risks and problems.
Impact Assessments usually involve approximately four phases, roughly defined as the project initiation, data flow analysis, privacy questionnaires and the impact assessment report. In project initiation, the scope of the project is defined, the information needed, and the staff involved.
In the data flow analysis, the organization maps out the data flows for the particular process subject to the assesssment. Additional information is gathered in the the third phase, when questionnaires and distributed and collected to key employees to identify additional privacy issues, and the implications of concerns analyzed. Finally, a report is produced to document the potential risks, offer potential solutions to mitigate or remedy the risks identified, and it is presented to the appropriate decision makers for action.
Why the different nomenclature?
Privacy Risk Assessments are, generally, the parent category for both DPIAs and PIAs. However, many people in the industry use the terms DPIA or PIA to refer not to the specific legal requirement outlined in the law but more generally to refer to any privacy risk assessment.
DPIA is the name used for impact assessments in the European Union’s General Data Protection Regulation (GDPR). The DPIA requirement is covered in GDPR Article 35 and required where processing is likely to result in a high risk to the rights and freedoms of natural persons. This includes cases of automated processing, large scale processing of special data, and systematic, large scale monitoring of a public area. The law sets forth the minimum of what must be contained in a DPIA.
PIA is the term used by the Federal Trade Commission and other government agencies for an analysis of how personally identifiable information is collected, used, shared and maintained by the U.S. Government. It arose from requirements in the E-Government Act of 2002, enacted by Congress to improve the management of Federal electronic government services and processes. Although the law applies to Federal government agencies, the name is also used by industry for its own similar processes in the United States.
Manual, Internal Assessments
Organizations that are going to conduct privacy risk assessments internally need to make sure that their team has the time and experience in order to conduct them. It can be time consuming to set up the questionnaires and conduct the interviews necessary to gather the required information to complete the analysis and report. For some organizations without a mature privacy program, it may be easier to allow their privacy staff to focus on compliance efforts and bring in consultants to conduct this information gathering.
Many privacy risk assessments are conducted and managed internally. However, there can be value to bringing in an external organization to conduct an initial or secondary review of the potential privacy impact of a new or existing technology or business process. An outsider to the company, such as a consultant, can evaluate the existing privacy protections and businesses processes with a fresh perspective. They may also be able to offer insights from their broad range of experience working with other clients. Consultants may also use different software tools to make the process more efficient, automating a portion of the impact assessments through privacy technology. One area where technology can be a big help is in the automation of data flow mapping.
Schedule Your Software Demo Today
Get started on the path to a privacy risk assessment now. Call Clarip at 1-888-252-5653 to find out how we can help you with automated data flow mapping or with our data risk intelligence website scanner. We can also assist your privacy program in preparations for the California Consumer Privacy Act.
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.