A Data Privacy Impact Assessment (PIA) is an internal business process that organizations that process personal information use to tackle potential data privacy risks of their technologies, products, systems, processes, and business in general. The goal is to help the organization proactively understand their data privacy risks, and build processes and procedures around mitigating those risks. Data Privacy Regulations, and your Enterprise Customers recommend, and sometimes require, conducting PIA’s – so it may be in your best interest to familiarize yourself with them. This post will give you a high level overview of what goes into a Data Privacy Impact Assessment.
- Business and System Description – This section should provide a detailed description of the Business and System under review, including its purpose, technical functions, capabilities, scope, data processing activities, and third parties involved.
- Personal Information Elements – This section should specifically identify each piece of personal information/personal data that your business or system processes (collects, generates, uses, shares, stores, etc.) This could include name, address, telephone number, email address, EIN, passwords, SSN’s, biometric information, etc. This should also include information around the source, how the information is being used, and what the purpose of the information is.
- Data Flow Map – This section should, in detail, identify all data flows – including all entry and exit points, geographic locations, how the information is being accessed, how the information is being shared, and when your business or system is deleting the personal information. Data flow maps should be intricate and deliberate, and include as much detail as possible. Include supporting documents, such as evidence, here.
- Access Control Implementation – Identify how your business and the system is handling access controls – including authentication protocols, user management systems, access provisioning systems, administrative processes, third-party system access, or other related controls.
- Privacy Notices, Statements, and Restrictions – You should keep inventory of all privacy notices, statements, and consents that are being provided or received from your end-users. Use this section to specify those notices and statements, and all other applicable privacy-related guidelines.
- Applicable Laws – Use this section to identify all applicable laws and regulations to your business and systems. For example, if you’re in healthcare technology – identify the Health Insurance Portability and Accountability Act (HIPAA); if you’re processing the data of European Union citizens, and California residents – include the GDPR and CCPA.
- Privacy Risks and Analysis – This section should outline all potential privacy risks. This should be an in-depth section, and can include information around third-party subprocessors, internal and external risks, etc. Analyze these risks, and offer mitigation options. Flag any potential risks and figure out a plan to mitigate.
- Harm Mitigation – Per the Privacy Risks and Analysis section, use the Harm Mitigation section to prescribe actions required that your business and the systems can take to mitigate the privacy risks using common data protection concepts and technology.
- Required Action Plan – Set out a plan of action for members of your team to mitigate the risks identified. Include information around the action required, the responsible parties, and the estimated completion dates.
- Supporting Documents – Attach any supporting documents mentioned above, including but not limited to privacy notices, consent notices, information security plans, disaster recovery plans, or other policies and procedures.
Let us Help
This post is providing a high level overview of a Data Protection Impact Assessments, and is not to be taken as comprehensive guidelines.
There are many more nuances and specifics, and you should have an experienced attorney help you through an appropriate PIA.
Kader Law can help you through conducting and assessing PIA’s. If you’re interested, feel free to contact us.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.