Privacy Impact Assessment

Privacy Impact Assessments Assess Privacy Risks and Gaps for Companies

Privacy impact assessments (PIAs) help organizations determine the privacy risks of using/processing personal data. PIAs typically follow three critical steps. First, PIAs determine how personal data is used by the organization and if the processing conforms with regulations. Second, they analyze the risk of personal data based on how the data is accessed and used. Third, they evaluate what processes, controls or protections would reduce privacy risk and improve compliance. 

The GDPR calls out PIAs as data protection impact assessments in Article 35 for processing that may create high risk. Not all legislation call out PIAs specifically, but PIAs represent a best practice for assessing overall privacy readiness. The specific requirements of PIAs vary based on what privacy regulation they target.

How are Privacy Impact Assessments accomplished?

  1. Manual processes: through surveys, interviews, and documentation, organizations review how personal data is used and protected. Given the volume and breadth of data sources, manual processes may be time-consuming and prone to inaccuracies.
  2. Automated solutions: packaged software can automate many components of PIAs, providing automated personal data discovery and classification.  Additionally, these privacy solutions evaluate risk based on factors such as protection, number of users and geographic dispersion and movement of personal data. Organizations can have a continuous assessment of personal data with these solutions.
  3. Service providers: can provide the staff and tools to perform PIAs for organizations that do not have the resources and/or expertise to conduct the analysis.  

Here are additional resources to learn more about privacy impact assessments:

You just learned about Privacy Impact Assessments, now explore related terms like Privacy by Design, and the NIST Privacy Framework.