Why You Should Perform a Privacy Impact Assessment
February 07, 2020 | 3 minutes read
Imagine waking up and finding that millions of your organization’s files, including sensitive records, were breached. Personal data, ranging from photographic images, social security numbers, dates of births, addresses, health information, and even internal communications, is exposed. Surely it couldn’t happen to you, right?
Wrong.
Educational institutions like Georgia Tech, Rush University Medical Center, UConn Health, and the Chicago Public School System, as well as significant players in the healthcare, retail, security, and finance industries, have all had data breaches.
It’s an unfortunate reality that any organization with sensitive information about the public can be a target for malicious actors. In response to these threats, organizations are performing privacy impact assessments (PIAs). PIAs are risk assessments. They help organizations explain the impact an information system or project might have on individuals’ privacy and help stakeholders analyze risks.
Over today and the next week, we’ll be publishing a series of articles explaining:
- Why you should perform a privacy impact assessment
- How to complete a privacy impact assessment, and
- How you can use redaction software to prevent the spread of confidential or sensitive information online.
We hope that with this information, readers of CaseGuard’s articles can move beyond privacy awareness and start developing processes and policies for data collection, storage, and use.
Want to read Part 2 and Part 3 of the series? You can!
How conducting a privacy impact assessment provides your organization more value, faster.
Reputations are not replaceable. Conducting a PIA takes time upfront; however, the investment is well worth it. In a presentation at the International Association of Privacy Professionals Congress, presented said companies who perform a PIA are most likely to avoid penalties, legal challenges, and backlash from the public. Why?
They can catch problems early, saving time and money.
Because the goal of a PIA is to keep information safe, organizations have to start the process with a good understanding of the amount of personal information they’ll be collecting and the complexity of the system they’re using. They have to know if their system connects with other systems, like desktop and application software or infrastructure, as well as the legal authorities, policies, or agreements they must comply with, among other topics. Answering these questions usually requires consulting stakeholders ranging from legal counsel, record managers, vendors, and staff responsible for the system’s security. Through these conversations, organizations can start planning appropriate controls and company policies to minimize and diminish risks.
They promote accountability and privacy.
The future depends on the action we take today. When done well, PIAs help organizations plan strategies to prevent and respond to any breaches or other significant occurrences that can affect data security.
Often, to gain a full understanding of a system, organizations will:
- Map the flow of data through a system to describe its use Identify with whom the data will be shared
- Explain how the data is verified for completeness and accuracy, and
- Address the potential interest from the media or public in the privacy aspects of the project.
By following the flow of data in a system, organizations gain more insight to problem resolution and can make more informed decisions.
Looking forward: How to complete a privacy impact assessment
Tying privacy to a casual evaluation process won’t create follow-through and reduce or mitigate privacy risks in an organization. Developing strategies to remove and minimize privacy risks takes effort, but the peace of mind that comes from knowing your organization’s interests and those of impacted individuals are protected is worth every minute spent. That’s why tomorrow, we’ll cover how organizations across law enforcement, education, healthcare, government, the legal field, and the security industry are conducting them in Part 2 of our series on privacy impact assessments.