Privacy Impact Assessment
A Privacy Impact Assessment is a tool that enables organizations to identify, categorize, and ultimately remediate privacy risks present in their data systems in accordance with relevant legislative standards. The objectives of these assessments are a few: to verify the data system’s privacy conformity with organizational and legal requirements, to determine the privacy risks present in the data system, and to evaluate solutions to mitigate identified risks.
Understanding what constitutes a PIA and its goals, a natural follow-up question would be who needs one. The necessity of one largely depends on the requirements of whatever regulations your business must abide by – different frameworks require these assessments at different stages of data handling. Odds are, however, that if you are bound to privacy legislation and handle customer Personally Identifiable Information (PII) you will at minimum be required to conduct a PIA when said data is newly processed or sold. Additionally, whenever significant changes/additions are made to the data system’s structure or its processes, then a PIA is typically highly-advised, if not required outright.
At the conclusion of the above steps a PIA report should be prepared documenting the results. The report should be easily interpreted and comprehensive of the steps and considerations taken – aid to this end can be found from online templates and/or privacy consultants. After the report’s completion, ensure that it’s published and sent where necessary by regulation. Ultimately, the PIA report is a living document. Ongoing reviews of the report should take place where there is any progress toward implementing the identified PIA recommendations or if any changes to the system are documented.