The International Association of Privacy Professionals (IAPP) defines privacy as “the right to be let alone, or freedom from interference or intrusion.” Many people and cultures consider privacy to be a fundamental right, the foundation upon which many other human rights are built and recognized.
Information privacy is specifically the right of a person to have some control over how his or her personal information is collected, stored, or used. There are many ways to infringe on information privacy in today’s age of information technology, and protecting privacy is a complex endeavor.
As technology becomes more sophisticated and invasive, many organizations now struggle to protect information privacy — the loss of which can have catastrophic effects, both on the individuals who own the information and on the organizations trying to maintain privacy. As a result, organizations, regulators, and governments are increasingly focused on privacy protection laws and regulations.
To be compliant with these laws and regulations, organizations must identify and manage privacy risk. For this, they must assess how they collect, use, share, and maintain personally identifiable information (PII). This is where a privacy impact assessment (PIA) comes in.
What Is the Purpose of a Privacy Impact Assessment?
A PIA helps to identify, assess, and manage privacy risks that could arise from projects, systems, strategies, policies, or business relationships. A PIA enables an organization to analyze how it collects, uses, and maintains electronic information. It also evaluates privacy in the organization’s information management systems and collections. To this end, a PIA identifies:
- The risks of collecting, maintaining, and disseminating personal data
- An organization’s existing protections (or the lack thereof) to reduce privacy risks
- Compliance with applicable privacy-related regulatory or legal requirements
- Options for PII owners to provide consent for data collection
A PIA demonstrates that the enterprise has consciously incorporated privacy protections and controls throughout the development lifecycle of an information system, device, software module, or program that processes personal information. It provides documented assurance that the potential privacy issues in these systems have been identified and addressed adequately.
For instance, in a software development lifecycle (SDLC), a PIA enables system owners and developers to assess privacy, determine how the project might impact the privacy of individuals, and understand whether privacy protection objectives could hinder the project’s objectives. Such assessments can be carried out during the early stages of the SDLC and multiple times throughout the process.
Who Should Do a Privacy Impact Assessment?
A PIA — and a privacy program in general — is vital for organizations that collect or have access to a large amount of sensitive, private, or personally identifiable information. In this type of self-assessment, the organization assesses its internal processes to determine whether it can adequately protect the privacy of individuals whose data it collects, processes, or stores.
Under the E-Government Act of 2002, all U.S. federal agencies must conduct PIAs for all programs and information systems that collect PII. The law also mandates that a PIA should be completed when the agency:
- Develops or procures a new technology or system that handles or collects PII
- Revises or modifies an existing IT system
- Issues a new or updated rulemaking that affects PII
By conducting a PIA, these government agencies can demonstrate that they’re committed to protecting the privacy of PII and that they conform with applicable regulatory or legal requirements for privacy.
It’s not just federal agencies that can benefit from a PIA. Any organization that collects or processes PII about its customers, clients, business contacts, employees, and the like can benefit from a PIA.
With an increasing focus on data protection and individual privacy, CIOs should assure that their organizations don’t indiscriminately collect PII or hold it indefinitely. Instead, they must implement robust processes and safeguards to collect data only for specific purposes, inform users about the reason for collection, and delete the data when it is no longer required.
Organizations that do business with the European Union (EU) or that have data stored in the EU must conduct a PIA to comply with the General Data Protection Regulation (GDPR). The GDPR stipulates that organizational systems and processes must have data protection and privacy embedded (privacy by design) from the beginning of a project.
Whether you simply want to protect your business or need to meet regulatory requirements, a PIA can help you meet your objectives. It provides a strong starting point to design and implement the necessary processes.
When Should You Do a Privacy Impact Assessment? How to Know if You Need a Privacy Impact Assessment?
In general, your organization should do a PIA if any of the below conditions are true:
- You collect, use, and store PII about individuals, such as customers, vendors, or employees
- You possess information that is considered sensitive, such as patient records or financial data
- You are creating new information systems to store and manage PII, such as when converting paper-based records to electronic systems
- You have security systems and controls to protect private or sensitive information, but they’re undergoing changes that could potentially create new privacy risks or lead to privacy incidents. For example:
- When a new technology could create a more open environment for data exposure that did not exist before
- When system modifications will change information from anonymous to identifiable
- When databases are merged to aggregate data but end up creating new privacy concerns
- If a system change could create new risks to civil rights or liberties
- If vendors, suppliers, or other third parties have access to PII that you maintain and are at risk of data breaches or cyberattacks
- When business process changes result in the disclosure of information in identifiable form
What Are the Possible Consequences of Not Performing a Privacy Impact Assessment?
A PIA acts as an “early warning system” that shows you the gaps in your organization’s privacy processes and controls. These gaps may lead to compliance and regulatory issues or damage your reputation. You may even lose customers and business, which can harm your finances.
If you don’t conduct a PIA, you can’t prove to regulators, customers, or the public that you take privacy seriously, much less that you have strong privacy controls in place. Without such evidence, your organization cannot earn the trust or confidence of its stakeholders, which could hurt its reputation and financial health.
One of the biggest American credit rating agencies, Equifax, was hacked in 2017. Hackers stole the personal information of 140 million customers, and the incident cost Equifax $1.4 billion in security upgrades.
Equifax is one of the most famous incidents involving a massive breach of PII, but it is by no means an isolated one. By the end of September 2021, the number of data breaches had already surpassed the total for 2020 17 percent. Each breach costs on average $4.24 million, which is 10 percent more than the 2020 cost of $3.86 million.
By conducting a PIA and a cybersecurity risk assessment, you can identify control gaps that create privacy risks or lead to privacy events similar to Equifax. These privacy risks could disrupt operations, require costly system modifications, lead to identity theft, and increase your vulnerability extortion demands.
By identifying and fixing those gaps, you can avoid embarrassing, costly, or business-threatening privacy mistakes.
Is There a Difference Between a Privacy Impact Assessment and Privacy Risk Assessment?
Numerous overlapping terms are used in the privacy world. A privacy impact assessment is often referred to as a privacy risk assessment, with many people using them interchangeably.
The EU’s GDPR uses the term Data Protection Impact Assessment (DPIA), which is covered in Article 35. It specifies that a DPIA is required whenever data processing may create a high risk to the rights and freedoms of individuals.
The Federal Trade Commission (FTC) and other government agencies in the United States use the term PIA to specify how PII is collected, used, shared, and maintained by government agencies. It arose from the E-Government Act that applies to all government agencies. It’s also used by private sector firms for similar initiatives.
Perform a Privacy Impact Assessment with ZenGRC
ZenGRC is a governance, risk, and compliance platform that can help you manage all of your privacy protection initiatives. Perform a privacy assessment using ZenGRC’s out-of-the-box features. Its single source of truth repository centralizes all documentation for easy retrieval at audit time.
ZenGRC streamlines evidence and audit management for all of your compliance frameworks. Dashboards and insightful reporting provide visibility to where you are compliant and where you fall short.
Automated workflows and reminders allow risk and compliance managers to assign and track tasks to completion with minimal effort. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.