A Guide to Privacy Impact Assessments

,
Clipboard being held with checkmarks

Until recently, privacy impact assessments (PIAs) were mostly just requirements for U.S. government agencies like the Department of Transportation or the Federal Trade Commission. But today, more and more businesses around the United States are required to conduct PIAs because of changing regulations.

Unfortunately, the factors that require a business to conduct a PIA vary from state to state, so it can feel like a lot to remember. But a little preparation now can lead to huge benefits down the road, including the peace of mind of knowing you’ve taken steps to protect consumer trust and ensure compliance

So what are privacy impact assessments, and what do businesses need to know about PIAs and data compliance? Let’s get into it.

What is a privacy impact assessment, and why should you do one?

At its core, a privacy impact assessment evaluates the exposure risks to personal information within an organization’s processes, features, services, programs, or products.

A privacy impact assessment, sometimes called a “data protection impact assessment” or “data protection assessment,” analyzes how your business collects, uses, shares, and maintains personal information. This can be information about your consumers, employees, prospective employees, vendors, and others who come into contact with your business. 

The legal purpose of a PIA is to demonstrate that your business has complied with all relevant legal, regulatory, and policy requirements for data privacy. 

But that’s not where the function of a PIA ends. 

PIAs identify privacy risks, as well as how said risks have been mitigated. They’re an important part of safeguarding data if the processing of personal information is likely to result in a high risk to individual rights and freedom. They can also evaluate whether your business has incorporated sufficient data privacy protections throughout your system. 

But the business purpose of a PIA is broader. 

A PIA is an opportunity for businesses to get out in front of privacy issues before they become problems. Not only can this process mitigate privacy risks from a legal standpoint, but it also allows businesses to build trust with consumers and create privacy-first processes. 

Privacy regulations and privacy impact assessments

Government agencies have carried out privacy impact assessments for two decades now (since the E-Government Act of 2002), but the regulations have more recently begun to extend to private companies due to the EU’s General Data Protection Regulation (GDPR) and new U.S. laws at the state level. 

Under Article 35 of the GDPR, businesses have to conduct a data protection impact assessment when its data processing is likely to result in “high risk” to the rights and freedoms of individuals (yes, the wording is purposefully open-ended).  

Under the GDPR, PIAs are required when businesses conduct activities that are considered “high risk,” including:

  • a systematic and extensive evaluation of the personal aspects of an individual, including profiling
  • processing of sensitive data on a large scale
  • systematic monitoring of public areas on a large scale

Privacy impact assessments under U.S. state laws

Currently, a number of state privacy laws require that businesses execute an annual PIA for certain data processing practices. These states include:

  • California
  • Colorado
  • Connecticut
  • Virginia
  • Montana 
  • Indiana
  • Tennessee
  • Texas
  • Oregon

Like under the GDPR, there are a variety of situations where a privacy impact assessment is required. 

Some of the most common are: 

  • Processing personal data for the purposes of targeted advertising
  • The sale of personal data
  • The processing of sensitive data
  • When processing presents a “heightened” risk of harm to the consumer

But if you’re wondering if you have to use a unique assessment for each state law, rest (a little) easier. As long as an existing PIA has a reasonably similar scope and effect to the jurisdictional requirements of the needed state, you may be allowed to use it to meet that state’s PIA requirements. 

Learn more about state data privacy laws with RCA’s state privacy law map.

Many state requirements align with the EU’s GDPR, but there are variations between states on what processing activities and types of sensitive data require PIAs. Businesses will have to review each individual state law to understand which ones may require them to perform a PIA. 

California’s Additional Steps for Privacy Impact Assessment Compliance

Privacy laws in California like CCPA have been setting the standard for other state privacy regulations, and for those that process data on children, there’s an additional regulatory element to consider now: the California Age-Appropriate Design Code Act (CAADC). 

For businesses that process children’s data under CAADCA, which will come into effect in July 2024, businesses have to perform a privacy impact assessment before rolling out any new service, product, or feature likely to be accessed by children. This law, based on the similarly titled version in the UK, seeks to have businesses document and eliminate harm to children.

Businesses liable under this legislation must review their impact assessment biennially (every two years).

Seven tips for an effective privacy impact assessment

Whether you’re facing an immediate need for a privacy impact assessment or want to take a proactive approach, here are six tips to ensure you create a sustainable strategy for privacy impact assessments in your business. 

     1. Determine what jurisdictions apply to your business

The GDPR has no exceptions for small businesses, but many state laws include thresholds to relieve many smaller enterprises from state requirements. These thresholds vary by state. Take time to review what jurisdictions apply to your business and whether your existing practices fit your compliance needs. Even in jurisdictions where a PIA is not required, identifying and rectifying privacy risks is a smart business strategy. 

     2. Determine who needs to be involved in your PIA

Privacy programs (at least sustainable ones) are generally multi-department endeavors that involve legal, IT, marketing, HR, and customer service—basically, if a department interacts with personal information, it should be a part of privacy conversations. 

Make sure to include all stakeholders from the start of the process to create processes that work for your business AND meet regulatory guidelines. 

     3. Develop a governance plan for your PIA

You’ve got a cross-departmental team for PIAs, but how are they actually going to perform the work? Ask yourself the following questions: 

  • What are the triggers for a PIA?
  • Who’s spearheading it? 
  • Who are the teams/leaders responsible for executing specific parts of the assessment?
  • How will training be handled?
  • Who will ensure that your PIA is actually reflective of your operations? 
  • Who will review your PIA, identify the privacy risks, and work on your mitigation plans as necessary? 

Decide on these points now for a smoother process down the road. 

     4. Create the necessary processes and policies to support PIAs

Like any business activity, your processes benefit from clear documentation and policies. PIAs aren’t any different. Define an end-to-end process that identifies everything from threshold assessments to how risks are flagged and mitigated to how the effectiveness and impact of your activities are measured. 

Additionally, before conducting a PIA, the use of privacy threshold assessments (PTAs) is recommended. PTAs consist of a checklist of basic questions like what kind of data is collected and how it’s used that help you determine if you need to run a PIA in the first place.

Templates can be a big support here as they perform PIAs consistently, with less heavy lifting than starting from scratch each time. Creating a uniform process will be beneficial to employees and make it easier to train them on how the PIA process works. 

It is also important to train those who might need to conduct a PTA or ultimately a PIA on what to consider and what to do.  For example, explain to the product or analytics team how to complete it, who to turn it into, and what the expectations are once submitted.

     5. Conduct a thorough data inventory

You can’t understand the risks or vulnerabilities within your system if you don’t understand how data is processed internally or how you share it with outside parties. A data inventory can help you get a bird’s-eye view of your data practices and where your weak spots might be, as well as notify you to areas that require a PIA.  Data inventories and PIAs go hand in hand.  

     6. Identify any potential risks associated with your processing activities

Where are your system vulnerabilities? How can you mitigate these risks? What safeguards can you update and put in place? 

Addressing these considerations now can save your business from a whole host of problems down the road.

     7. Plan to review your PIA regularly moving forward

Depending on your organization, jurisdiction, and other factors, you may be required to update your PIA annually, biannually, or you just may need to provide it in the case of an investigation, regulator requests, or a legal or compliance review. 

That said, it’s not a good look if it comes out that your business never conducted a PIA until a regulator orders you to produce one. Either way, it pays to stay up to date with your PIA. 

Future you will be so happy you did. 

When in doubt, work with a third-party expert

Because PIAs can be overwhelming for businesses, many choose to partner with a third party to undergo a thorough privacy impact assessment that is most effective for their unique needs. 

Schedule a call with Red Clover Advisors today to learn how we can help you conduct privacy impact assessments.