Privacy Impact Assessment

Privacy Impact Assessments Assess Privacy Risks and Gaps for Companies

Privacy impact assessments (PIAs) help organizations determine the privacy risks of using/processing personal data. PIAs typically follow three critical steps. First, PIAs determine how personal data is used by the organization and if the processing conforms with regulations. Second, they analyze the risk of personal data based on how the data is accessed and used. Third, they evaluate what processes, controls or protections would reduce privacy risk and improve compliance.

The GDPR calls out PIAs as data protection impact assessments in Article 35 for processing that may create high risk. Not all legislation call out PIAs specifically, but PIAs represent a best practice for assessing overall privacy readiness. The specific requirements of PIAs vary based on what privacy regulation they target.

How are Privacy Impact Assessments accomplished?

  1. Have detailed data classifications that define the data you hold.
  2. Collect and use only the data needed for the business purpose or service.
  3. Have clear policies on data retention and delete and/or archive data on a periodic basis.
  4. Conduct analysis of data sets to determine if the organization is holding duplicate and/or unused data.

What are the tools used?

  1. Manual processes: through surveys, interviews, and documentation, organizations review how personal data is used and protected. Given the volume and breadth of data sources, manual processes may be time-consuming and prone to inaccuracies.
  2. Automated solutions: packaged software can automate many components of PIAs, providing automated personal data discovery and classification.  Additionally, these privacy solutions evaluate risk based on factors such as protection, number of users and geographic dispersion and movement of personal data. Organizations can have a continuous assessment of personal data with these solutions.
  3. Service providers: can provide the staff and tools to perform PIAs for organizations that do not have the resources and/or expertise to conduct the analysis.

Prevent millions of $ of privacy risks. Learn how.

We take privacy seriously.  While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.