What Is Included in a Privacy Risk Assessment?
Every action and adventure movie in the history of movies has a scene that looks like this:
IN SECRET LAIR — NIGHT
Hilariously funny computer-nerd sidekick with crushing social anxiety is talking with an uber-suave, secret super-agent about taking down moles in the government intent on destroying society as we know it.
Sidekick: Wait a second. Just wait. You’re saying we have to steal the bomb from the crazy secure military base?
Secret super-agent: It’s the only way we can save the world. [smolder]
Sidekick: But that’s insane! Assuming we can even get past the ID checks at the entrance, there are five additional checkpoints between the front door and the vault where the bomb is stored. The final checkpoint requires a 25-digit passcode that is randomly changed every 30 minutes and retinal scans from four different people!
[Sidekick begins pacing in front of a desk littered with random, techy-looking stuff]
IF, and that’s a big if, we make it through all that security, the vault is temperature- and pressure-controlled. Any unscheduled access triggers the alarm system and activates the laser-shooter/oxygen-deprivation/flame-throwing system. We will die if we can’t hack the system to schedule our currently unscheduled visit! Do you hear me?! DIE!
Secret super-agent: You can do it. I need you to do it. The world needs you to do it. [extra long smolder]
In that scene, the overworked and underpaid sidekick identifies factors that could interfere with successful operations. In other words, they’re conducting a risk assessment.
Luckily, running an excellent privacy program doesn’t usually involve saving the world. But that doesn’t mean you can get out of a thorough privacy risk assessment.
What is a privacy risk assessment?
A privacy risk assessment is a tool companies use to protect the personal information (also called PII—think name, address, SSN, race, financial information, biometric identifiers, specific geolocation, etc.) of natural persons from inappropriate use by a company, use that creates great risk for the individual's rights or freedoms, or exposure in a data breach. They can help identify, monitor, and resolve issues that put their internal and customer data at risk of exposure in a data breach.
While security against data breaches is essential, privacy risk assessments also consider your privacy practices in the scope of relevant privacy laws, current consumer expectations, and the risks to individuals. In short, they take the pulse of your privacy program.
What’s more, a privacy risk assessment isn’t a one-off exercise, but according to the European Commission, a living, flexible tool that can help you safeguard your business and customers.
These risk assessments go by several names—data protection impact assessments (DPIA is the GDPR term) or privacy impact assessments (PIA)—but their ultimate function is to reduce privacy risk factors and improve data management practices by providing a holistic view of the opportunities and challenges facing your company.
Why does my company need a privacy risk assessment?
PIAs aren’t just good risk management. They’re also a statutory requirement.
The European Union set the standard for regular risk assessments when it passed the General Data Protection Regulation in 2016. Nearly all data protection regulations passed since then have similar requirements and establish heavy fines for noncompliance.
Unlike many other countries, the United States doesn’t have a federal data privacy law. Instead, the US government has opted to take a sectoral approach that gives states the burden of protecting consumers’ personal information. Legislation like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) make it clear that moving forward, companies are going to be responsible for safeguarding the personal data they collect.
Regardless of your legal obligations, though, privacy rights will be a significant issue for consumers for the foreseeable future. Almost across the board, consumers have proven they’ll walk away from a company if they have concerns about privacy practices.
If you aren’t actively trying to manage your privacy risks, it’s going to cost you in the long run.
What are the steps in a privacy risk assessment?
Saying that you’re going to conduct a privacy risk assessment is kind of like saying you’re going to make cookies—there are a lot of techniques you can use and types you can make. But there are fundamental principles that work across the board.
To conduct a privacy risk assessment, you need to:
- Set the scope
- Establish responsibilities
- Map your data
- Adjust processes
- Notify stakeholders of changes
Set the scope
Not every PIA has to be organization-wide. If you’re changing a single process in your direct marketing program, you may not necessarily need to examine how your customer service department accesses your customers’ personal data.
The scope of your PIA will be determined by the interaction between proposed changes and the privacy laws you need to comply with.
Under the GDPR, for example, a DPIA is required if you’re going to implement new technology, if you’re tracking the location or behavior of individual users, if you’re systematically monitoring a publicly accessible place on a large scale, if your data processing will be used in automated decision-making with legal ramifications, or if you’re processing data from children.
You’ll notice those examples don’t specifically name advertising or internal data processing as a trigger for a DPIA. And there are some exceptions in the law if you’ve recently conducted a DPIA for a reasonably similar situation.
Looking for further guidance on when to conduct a PIA? Both the ICO and CNIL provide guidance on steps to take.
Setting parameters for your DPIA will help you be as thorough as possible while also helping control your costs and timelines.
Let’s go back to the bomb-stealing action movie from the intro. Sometime after the “risk assessment” scene, there will be another scene where the heist crew will sit and go over their plan in minute detail, with every person listing off their responsibilities.
You should do the same thing when prepping for a PIA. Every person involved in the process should clearly understand their role, how the chain of command works, and the deadlines.
It’s the same concept the American Red Cross uses when teaching people first aid (“You in the blue shirt! You call 911!”). Clear performance expectations eliminate confusion and improve performance, making the process more efficient.
Map your data
This step is the big one. If you get nothing else from this article, remember this:
YOU NEED TO KNOW YOUR DATA.
But getting to know your data doesn’t magically happen. You have to take the time to get your know your data. Buy it a cup of coffee. Ask it about its family.
Just kidding. That’d create even more data.
In all seriousness, you can get to know your data simply by creating a data map.
We’ve written extensively about data maps, sometimes called data inventories, but at its core, data mapping explains what happens to every data record in your system. It will tell you:
- What data you’re collecting
- Who you’re collecting it from
- Why you’re collecting it
- Who has access to it (including third-party vendors)
- Who you’re sharing it with or selling it to
- How you’re using it
- Where and how long you’re storing it
- Where it’s at risk for exposure
Basically, a data map is the fastest, best way to understand and identify privacy risks in your data management program. In theory, this should be information you know already. In practice, companies rarely completely understand what their data collection and management practices look like.
Unlike the GDPR, US privacy laws don’t technically require companies to have a data inventory. But it’s hard to see how you could build an efficient compliance program without one.
Analyze and review
Once you’ve made a data inventory analysis of how the proposed changes will potentially affect the privacy of data subjects, you should have all the information necessary to address potential risks and be ready to implement the new technology or process. Feeling lost during the analysis and review? You should be looking to answer questions like:
- Where are the weaknesses in our program?
- How will changes or updates impact privacy operations?
- Will we need to update privacy notices need to change?
- Do we have the correct consents in place?
- Should contracts be drafted or updated?
Make the appropriate changes
Now comes the fun part—making the privacy changes that are going to move your business forward, build better relationships with customers, and stay compliant with all relevant laws.
To make the changes you identified as critical through your privacy risk assessment, make sure you keep communication clear and consistent between team members, departments, and relevant stakeholders. Clear internal communications help fully integrate changes into your operations—and if you want to be super on top of it, make your updated privacy practices part of a privacy training initiative.
When it comes to external communications, it’s also important to have a plan to notify customers of any substantive changes to your privacy policies or practices.
Take it one bite at a time
It’s always easier to manage large programs in small chunks, and privacy is no different. A big-picture strategy is vital in establishing a culture of privacy and managing priorities. Still, privacy risk assessments are much more effective if they’re a regularly utilized tool and not an occasional strategy.
If you need help designing productive privacy risk assessment processes, let us help. We can be the sidekick that supports your efforts, or we can be the super-agent that creates a functional plan.
Either way, Red Clover Advisors is passionate about practical, pragmatic privacy solutions. Call us today to schedule a consultation.