How to Do a Privacy Impact Assessment

How to Do a Privacy Impact Assessment

Want to protect your organization from expensive and time-consuming mistakes?

In today’s piece from our three-part series on privacy impact assessments (PIAs), we’ll be covering how to do a PIA at your organization. With this guide, you’ll learn:

We’ll also address frequent questions about the PIA process, including:

While every organization’s needs are unique, we hope that by providing a framework for conducting a PIA, you’ll be able to identify and remedy problems sooner so that you can avoid unnecessary costs, complaints, and reputational damage going forward.

Want to read part 1 and 3 of the series? You can!

Step 1: Determine if You Need to Perform a PIA

Before committing yourself to many hours of work, you need to ask a straightforward question:

Does this PIA need to happen?

In other words, are you planning to collect, process, or store PII? Are you already collecting, storing, and processing PII? If you are, you need to do a PIA.

It’s essential to bear in mind that non-PII can turn into PII if additional information is made publicly available that, if combined with other available information, could be used to identify an individual. In practice, this means that if you’re implementing a new system or service that changes the way information is collected, recorded, stored, or processed so that someone could more readily identify an individual and be considered intrusive, you may need to do a PIA.

If you’re not sure about whether or not you should do a PIA, it can be helpful to talk to a privacy specialist or security expert within your organization. The odds are that they are familiar with what you’re trying to accomplish and can provide you guidance if you’re unsure about how to proceed.

Step 2: Plan and Understand Context

In this step, your goal is to establish the context around your project. Sometimes, you’ll perform a simple analysis for a simple tool, while in other cases, you’ll have to thoroughly analyze how this new tool will impact data throughout all of your systems.

In this phase, your goals are to be able to:

Some questions that can be helpful to ask during this phase include:

Step 3: Identify Processes

This is where the action starts. During this phase, you’ll identify the formal and informal processes in your project’s information life cycle.

The principal activities you’ll undertake include:

Some questions that can be helpful to ask during this phase include:

Step 4: Manage Privacy and Risks

In this phase, you consult with business representatives, privacy professionals, technical staff, and security staff to determine how your organization will approach risk. Before describing how to do that, it’s crucial to define what we mean when we say risk. Often, people get the term risk confused with vulnerability. Let’s clarify both terms here.

According to NIST, risk is, “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.”

In contrast, a vulnerability is “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Common vulnerabilities include weak passwords, missing data encryption, and poorly configured firewalls.

Risk involves adding up all of the potential threats your organization could face, as well as the vulnerabilities within its network or system. PIAs are meant to make it easier for you to identify risk and assess how serious it is.

With this phase, you will:

Questions that can be helpful to ask include:

Step 5: Report and Recommend

Time for solution mode. During this phase, you’ll focus on documenting your findings from the previous four steps.

In your final analysis, you’ll want to cover:

There are many ways you can document your findings. What’s most important is that you do so in a way that is useful for your organization. Making the PIA publicly available is one great way to demonstrate accountability and encourage everyone at your organization is aware of your efforts to manage privacy.

Step 6: Monitor Change

Over time, you may find yourself collecting additional data or integrating with another system. When that happens, you should consider whether or not the changes will have an impact on privacy. By doing this, your PIA will continue to serve your organization.

Frequently Asked Questions About PIAs

At what point in a project should you do a PIA?

Ideally, you should do a PIA before you start a project that handles sensitive information, such as personally identifiable information (PII), which is defined by the National Institute of Standards and technology as information, “which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.)”?

You should do a PIA before you start a project because they can inform the design of your project. They’re useful tools because they force you to ask if whether the way you’re storing, handling, or processing information is sufficient.

Asking these questions before you build a project avoids costly redesigns or system rebuilds that occur later because of risks you didn’t account for during the PIA process.

How long do I need, and how detailed should the PIA be?

There’s no one way to do a PIA. Depending on your organization, you may be subject to additional legal requirements that you will have to address in your PIA. If you’re feeling stuck, it can be helpful to look at several PIA templates. Remember, you don’t have to copy them exactly. You should customize your PIA based on your organization’s needs. You can add or take out some components to fit your organization’s needs, so long as you get the basics down, which we’ll cover shortly.

Whom do I need to talk to as part of the PIA?

It depends, but generally, business analysts, privacy professionals, technical staff, legal staff, security staff, and external stakeholders provide invaluable information throughout the process.

Related Reads