Dirty Little Secrets: “Word” to the Wise on Privacy Impact Assessments (PIAs)
Privacy Impact Assessments, otherwise known as Data Protection Impact Assessments (DPIA), are nothing new. In fact, our recent survey of more than 230 companies around the world showed us that more than half of those companies already perform them for projects involving high risk to individual privacy or large scale processing of sensitive data. (For more survey results on GDPR readiness around the world, you can find the infographic and full report co-produced with the Centre for Information Policy Leadership here.) That being said, it also means that there’s still a significant portion of organizations that do not perform Privacy Impact Assessments.
If You Think You Can Avoid Privacy Impact Assessments, You Can’t
Just because Privacy Impact Assessments aren’t being performed systematically doesn’t actually mean it’s being sidestepped entirely. At one point or another, every company that handles sensitive information carrying risk to individuals will have to perform some sort of assessment or audit, be it pre- or post-policy breach. At the very least, your legal team will need to consider liabilities when it comes to both your products/services and internal processes. This could be anything that interacts with (collects, uses, or discloses) customer information, processes where data is transferred, human resources initiatives, or partner, customer, and prospect information.
In that sense, it’s not so much a matter of IF you perform privacy impact assessments, it’s more a matter of WHEN. For example…
Pre-Design Privacy Impact Assessment
Pro: Forces all parties to consider data privacy from the very beginning of any and every project. PIAs would then be carried out during phases that follow to ensure reliable enforcement of data privacy policies.
Con: Requires multiple assessments to be designed and carried out, which means more work to maintain all of the assessments and more potential points for delays.
Post-Production Privacy Impact Assessment
Pro: Design focuses solely on functionality meeting business and performance objectives, which means less time from design to prototyping and testing through production.
Con: Potential risks discovered could cause delays ranging from slight modification to a fundamental change to design.
No Privacy Impact Assessment
Pro: Design focuses solely on functionality meeting business and performance objectives.
Con: Risks would only be reported after the fact and could result in significant breaches, fines, and remediation efforts. In another sense of the word risk, you may consider taking one if the price of any or all of those possibilities outweigh the cost of implementing systematic privacy impact assessments.
Bottom Line When It Comes to Privacy Impact Assessments
Do them – and the sooner the better.
Obviously those are not the only scenarios, but the point is all the same – it’s a sliding scale of cost of risk versus cost of effort. And frankly, that scale is quickly tipping toward favoring PIAs – with the latest laws around the world leaning toward more severe repercussions for privacy breaches or explicitly requiring PIAs as is the case with the GDPR.
Okay, Privacy Impact Assessments Are a Must. What Tools Do I Use?
Microsoft Word – A Popular Tool for Privacy Impact Assessments
Let’s start with something we’re all familiar with: Microsoft Word. Using Word, you can create “templates” (there is a way to create actual Word templates, but often a saved copy with editing disabled is considered a template as well) of questionnaires that fit different situations, projects, roles, etc. You’d then require that an answered copy is submitted and evaluated as part of the process. Alternatively, you can generate PDF versions with forms enabled for better document control.
I mentioned earlier that more than half of the organizations we surveyed conduct PIAs, but only half of them use an automated system of some sort, so this is still a vastly popular option.
Food for thought:
- Document Control: Aside from general upkeep of adapting templates to reflect changes to regulations, given the option to look for the file time and again or save to a place they’d remember, people will generally do the latter. So even when you do update the template, there’s no guarantee that they’ll be filling out the latest copy.
- Lacks Efficiency: At the risk of stating the obvious, this method involves a lot of manual effort (depending on your process for locating and sending the templates, and collecting and aggregating responses).
Custom Built Privacy Impact Assessments
Where there’s a will, there’s a way. Obviously there are downsides to manually conducting PIAs, so organizations have created custom solutions that can expedite the process. While there’s no way to generalize the effectiveness of these solutions, it’s definitely a step in the right direction. The only downside to consider is that, as privacy laws continue to change, it may be necessary to continually update the solution. Additionally, if it’s created on a specific system, the solution may need to be updated when the system is updated. It’s something to consider as IT resources are generally scarce due to IT staff to employee ratio being low in most organizations.
Third-Party Privacy Impact Assessment Tools
Lastly, there’s the option of employing third-party tools. It’s immediately obvious that there’s generally a cost associated with purchasing software. So what are the benefits? Well as you may have suspected, the downsides of the former two options (Word and custom solutions) can be addressed by the third-party tools. Systematic, automated PIAs save time and effort in creating and maintaining templates, as well as tracking people down for responses and keeping track of results. Not to mention it’s in the software vendor’s best interest to keep their solutions up-to-date with the latest regulatory requirements and continuously improve usability and functionality.
Luckily the cost we mentioned is actually not of concern here as we offer a free PIA tool which you can find right here.
The Most Important Thing
Make it easy for everyone to get involved in the process, because the only way to successfully ensure the highest standards for data privacy are met is to have everyone play their role. If you wait for your legal team to vet and catch problems, it’s likely too late and repercussions could be costly.
- Central location or built into all processes (AKA workflows)
- Easy to aggregate responses AND find them later
- Easy to update across the board