How to Do a Privacy Impact Assessment

Want to protect your organization from expensive and time-consuming mistakes?

In today’s piece from our three-part series on privacy impact assessments (PIAs), we’ll be covering how to do a PIA at your organization. With this guide, you’ll learn:

• Six steps to success: the six key stages of a PIA process and what questions you’ll need to answer for each step.

We’ll also address frequent questions about the PIA process, including:

• When you should do a PIA
• How detailed your PIA should be, and
• Whom you might need to talk to during the PIA process

While every organization’s needs are unique, we hope that by providing a framework for conducting a PIA, you’ll be able to identify and remedy problems sooner so that you can avoid unnecessary costs, complaints, and reputational damage going forward.

Want to read part 1 and 3 of the series? You can!

• Privacy Impact Assessments | Part 1: Why You Should Perform a Privacy Impact Assessment
• Privacy Impact Assessments | Part 3: Redact PII and Sensitive Information with CaseGuard

Step 1: Determine if You Need to Perform a PIA

Before committing yourself to many hours of work, you need to ask a straightforward question:

Does this PIA need to happen?

In other words, are you planning to collect, process, or store PII? Are you already collecting, storing, and processing PII? If you are, you need to do a PIA.

It’s essential to bear in mind that non-PII can turn into PII if additional information is made publicly available that, if combined with other available information, could be used to identify an individual. In practice, this means that if you’re implementing a new system or service that changes the way information is collected, recorded, stored, or processed so that someone could more readily identify an individual and be considered intrusive, you may need to do a PIA.

If you’re not sure about whether or not you should do a PIA, it can be helpful to talk to a privacy specialist or security expert within your organization. The odds are that they are familiar with what you’re trying to accomplish and can provide you guidance if you’re unsure about how to proceed.

Step 2: Plan and Understand Context

In this step, your goal is to establish the context around your project. Sometimes, you’ll perform a simple analysis for a simple tool, while in other cases, you’ll have to thoroughly analyze how this new tool will impact data throughout all of your systems.

In this phase, your goals are to be able to:

• Describe the project
• Communicate the business’s aim in handling this information
• Describe the organizational context in which you’re operating
• Address what the PIA will cover
• Explain what areas are outside the scope of the PIA
• Determine who needs to be involved and when you should talk to them
• Identify if any third parties will need to be involved in the process and what you’ll need from them.

Some questions that can be helpful to ask during this phase include:

• What are your objectives for storing this data?
• What’s your organization’s risk appetite?
• Do you have a privacy culture?
• Who will you hold accountable if there’s a breach?
• What technical environment do you operate in?

Step 3: Identify Processes

This is where the action starts. During this phase, you’ll identify the formal and informal processes in your project’s information life cycle.

The principal activities you’ll undertake include:

• Talking to stakeholders
• Figuring out how your system works and how the information will flow through the system, how the information will be stored and processed, and if there are any security implications
• Identifying risks and actions to mitigate risk
• Identifying compliance frameworks

Some questions that can be helpful to ask during this phase include:

• Will this project collect PII or potentially identifiable information about individuals?
• What personal information is currently collected and used?
• How does this information flow through our systems?
• Will the data you’re collecting be shared with other organizations
• Will a third party be processing data?
• How will your project change the information flow? How long will the information be kept for? How will it be removed in the future?

Step 4: Manage Privacy and Risks

In this phase, you consult with business representatives, privacy professionals, technical staff, and security staff to determine how your organization will approach risk. Before describing how to do that, it’s crucial to define what we mean when we say risk. Often, people get the term risk confused with vulnerability. Let’s clarify both terms here.

According to NIST, risk is, “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.”

In contrast, a vulnerability is “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Common vulnerabilities include weak passwords, missing data encryption, and poorly configured firewalls.

Risk involves adding up all of the potential threats your organization could face, as well as the vulnerabilities within its network or system. PIAs are meant to make it easier for you to identify risk and assess how serious it is.

With this phase, you will:

• Identify risks to privacy
• Determine mitigation and acceptance criteria
• Decide upon security controls, such as how you will want to control access to your information systems
• Choose how you will monitor and track any incidents that occur, as well as how you’ll deal with them in the aftermath

Questions that can be helpful to ask include:

• What’s the likelihood and consequence of a breach?
• How can you design a system to provide better security?
• How can you minimize the amount of personal information collected?
• How will you check information to make sure it’s accurate and complete?
• Will there be an audit trail you can check for the project?

Step 5: Report and Recommend

Time for solution mode. During this phase, you’ll focus on documenting your findings from the previous four steps.

In your final analysis, you’ll want to cover:

• All relevant information about the project and its goals
• How information flows through the system, including at different stages
• Who will have access to the information within the system
• What risks were identified and how you plan to mitigate any impacts (i.e., are there going to be risk-specific action plans and if there are going to be any test plans)
• The frequency at which the PIA should be reviewed going forward
• The people at your organization will be responsible for ensuring that policies and procedures are followed

There are many ways you can document your findings. What’s most important is that you do so in a way that is useful for your organization. Making the PIA publicly available is one great way to demonstrate accountability and encourage everyone at your organization is aware of your efforts to manage privacy.

Step 6: Monitor Change

Over time, you may find yourself collecting additional data or integrating with another system. When that happens, you should consider whether or not the changes will have an impact on privacy. By doing this, your PIA will continue to serve your organization.

Frequently Asked Questions About PIAs

At what point in a project should you do a PIA?

Ideally, you should do a PIA before you start a project that handles sensitive information, such as personally identifiable information (PII), which is defined by the National Institute of Standards and technology as information, “which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.)”?

You should do a PIA before you start a project because they can inform the design of your project. They’re useful tools because they force you to ask if whether the way you’re storing, handling, or processing information is sufficient.

Asking these questions before you build a project avoids costly redesigns or system rebuilds that occur later because of risks you didn’t account for during the PIA process.

How long do I need, and how detailed should the PIA be?

There’s no one way to do a PIA. Depending on your organization, you may be subject to additional legal requirements that you will have to address in your PIA. If you’re feeling stuck, it can be helpful to look at several PIA templates. Remember, you don’t have to copy them exactly. You should customize your PIA based on your organization’s needs. You can add or take out some components to fit your organization’s needs, so long as you get the basics down, which we’ll cover shortly.

Whom do I need to talk to as part of the PIA?

It depends, but generally, business analysts, privacy professionals, technical staff, legal staff, security staff, and external stakeholders provide invaluable information throughout the process.