Privacy Impact Assessments: Why and When to Do Them

By on

Click to learn more about author Cathy Nolan.

What is a Privacy Impact Assessment? A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. Why do it?  If your organization needs to comply with the GDPR, a PIA will demonstrate that program managers and system owners have consciously incorporated privacy protections throughout the development life cycle of a system or program.  Since one of the stipulations of the GDPR is a requirement that the design of systems and processes are required to have the principles of data protection “built-in” from the beginning of a project, doing a PIA becomes a necessity rather than a “nice to have”.

Even organizations that do not do business with Europe nor have any data stored in the EU, should consider doing this assessment.  With all the uproar over data protection and individual privacy, a PIA can reveal where a company has weaknesses when it comes to protecting the personal data it collects, stores and uses. No corporation should indiscriminately collect personal data or hold it indefinitely.  Processes need to be put in place to collect data only for a specific purpose, to inform the individual of the reason for collection, and, to have a process for safely deleting the data when it has served that purpose.  These processes can be legally and financially important in case of data breach because they demonstrate that the organization has shown due diligence when it comes to data protection.  As we have seen with organizations such as Equifax and Target, the impact on your organization’s reputation for not protecting personal data can have significant financial consequences because the public reacts strongly to any loss of privacy data.

Doing a PIA is not a trivial task since it involves not only identifying personal data but determining how the data will flow through the business processes and technology, whether the data is being changed, if it will be shared with a third-party such as a vendor, and how and when the data will be deleted.   A third-party should have the same privacy practices as your organization and provide agreements that bind them to protect the personal information you have collected when it is in their custody.

PIAs should be started early in project development or design and be considered throughout the lifecycle.  If you can create an information flow or repository to identify the personal data being collected, here are some points to consider:

  1. Source of the information
  2. Who collected the information, the method and purpose
  3. Format of the information, who is authorized to use the data
  4. Security controls during any information transfer
  5. Location of the storage retention site
  6. The data disposal schedule

To sum it up, here are some questions to answer when doing your PIA assessment:

  1. Do you have the appropriate legal authority to collect personal data?
  2. Have you received consent from your customers to use their data?
  3. Are you using out-of-date or irrelevant personal data to make decisions?
  4. Are you disclosing data to third-parties that are not authorized or who do not keep personal data appropriately secure?
  5. Do you have processes in place to dispose of privacy data after use?

Many of our Government Agencies have already started PIAs of the data they collect and hold.  These include the Department of Homeland Security, FEMA, the Federal Trade Commission, Health and Human Services, and the Department of Education.  If Congress takes guidance from these government departments, it may not be too long before we have some type of federal “GDPR” regulation in the U.S.  Why not be one step ahead by protecting personal data within your organization now?

Leave a Reply