By the end of 2024, the personal data of nearly 75% of the world’s population will be protected by modern privacy laws. The rapid, global expansion of privacy regulations has and will continue to change how companies can collect and process their customers’ personal information.
No matter which privacy law (or laws) your business is subject to, the experts at Red Clover Advisors excel at creating practical, cost-effective privacy solutions. We leverage our backgrounds in business, marketing, and privacy to build privacy into every process.
Don’t know where to start? Contact us today for a free consultation.
Depending on which law we’re talking about, a privacy risk assessment might be called a privacy impact assessment (PIA) or a data protection impact assessment (DPIA), but all these names describe the same thing: a powerful risk management tool that assesses data flows and identifies exposure and compliance risks.
But if you want the nuts-and-bolts reasons for why you should run regular privacy risk assessments, here are five good ones:
It’s the smart business move
The cost of a data breach rose 10% in 2021 to average $4.24M, the highest total cost in the last 17 years. That number does not factor in the fines and legal fees associated with non-compliance or the long-lasting reputational damage or loss of consumer confidence that go along with it.
There’s no question that data is the currency of the future. It’s also equally evident that gaining and keeping customer trust is key to keeping the data flowing. Building a robust privacy program that includes regular risk assessments is good business, even if you don’t currently have compliance obligations.
Beating privacy risks to the punch
Beyond building customer trust, privacy risk assessments help you future-proof your privacy practices. Privacy risk assessments give you an opportunity to deeply analyze your business activities, your vendors, and your policies and identify dicey areas in your privacy practices. By identifying anything that might be a risk, you can mitigate or adapt your strategies.
This doesn’t just uncover past issues—a privacy risk assessment can highlight problems that might crop up in the future.
You want to stay ahead of legal regulations
In 2021, privacy bills were proposed in 23 states. These states cover the entire spectrum, liberal and conservative, big and small. It’s only a matter of time before most states have a data privacy statute, and that doesn’t include the possibility of a federal law coming into play.
On June 6, 2022, a bipartisan group of Congress members published a draft of the American Data Privacy and Protection Act. Co-authored by members of the US Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce, this bill represents the first meaningful effort to create federal consumer data privacy protections in decades.
The American Data Privacy and Protection Act may be a work in progress, but if it passes, it will likely stipulate measures akin to privacy risk assessments. The same for any upcoming state-level regulations.
You’re legally required to
This reason is the least philosophically compelling, but it’s a reality. Many privacy laws, from the groundbreaking European Union’s General Data Protection Regulation (GDPR) to newer laws like the Virginia Consumer Data Protection Act, mandate regular privacy risk assessments. Some even require an assessment to be completed every time a process is changed.
Done well, a privacy risk assessment will tell you:
And other critical who/what/when/where/why/hows of data privacy: why you’re collecting consumer data, where it’s being stored, how long it’s being kept, whether it’s being sold or not, how it’s being shared, and where you need better data protection measures
In short: privacy risk assessments create a road map of risk factors, company strengths, and growth opportunities.
Conducting a privacy risk assessment positions your business as privacy-forward, conscious of consumer rights, and differentiates you from your competitors. But what do you need to know about the legal obligations you’re facing?
New state privacy regulations are being proposed and passed each year in legislatures around the country. It’s only a matter of time before all businesses are responsible for adhering to some level of privacy laws. So that’s a good reason to get started now—when given the choice between being proactive and reactive, always be proactive.
Currently, there are five privacy regulations on the books: the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA); the Virginia Consumer Data Protection Act (VCDPA); the Colorado Privacy Act (CPA); Connecticut Data Privacy Act (CTDPA); and the Utah Consumer Privacy Act (UPCA).
Each state brings different obligations to the table for obligations and processes for conducting a PIA—but those obligations aren’t necessarily fully formed. These obligations can be a legitimate head-scratcher for privacy-minded businesses. Here’s where laws currently stand:
CCPA/CRPA have a broad threshold for businesses when it comes to PIAs. CPRA states “businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA”.
As the clock ticks down to CPRA enforcement, though, lawmakers and privacy advocates expect that the California Privacy Protection Agency (CPPA—and yes, we know these acronyms are…a lot) will create additional guidance on PIAs.
It’s important to note, though, that CPRA mandates a twelve-month lookback period for PIAs, meaning that a PIA needs to be run before processing any information gathered on or before January 1, 2022.
Virginia takes a more structured approach to conducting PIAs, providing guidance that indicates certain situations under which a business should conduct a privacy risk assessment:
Interestingly, Virginia doesn’t require businesses to conduct a unique PIA—if a PIA has been run to comply with another privacy regulation, it can be used in Virginia as long as the assessment is similar in scope and effect. Another point to note: VCPDA doesn’t require a lookback period. PIAs only have to be conducted for information gathered after the law went into effect.
The CPA details a short but meaningful list of activities that require businesses to conduct a PIA. These activities include:
Like the VCDPA, CPA only requires a PIA for information collected after the law went into effect.
Neither the Connecticut Data Protection Act or the Utah Consumer Privacy Act offer provisions for privacy impact assessments at this time, but that doesn't mean that the language of these regulations won't change.
Building a privacy-forward culture at your business starts with identifying privacy risk throughout the lifecycle of data. Your team needs a big-picture view of data flows and the privacy risks that arise from all your business activities, from major launches to customer interactions. And it all needs to be brought under the context of legal and regulatory requirements.
Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. We assess, develop, implement, and maintain data privacy strategies for clients that bring results without the substantial expense of hiring in-house.
Our Privacy Risk Assessment creates a holistic view of how your business collects, uses, and shares personal information.
Everyone wins. You get insight into your current practices, so you can minimize privacy risks. Your team gets the resources to shape products and services for successful business outcomes. Your customers get assurance that you’re doing things the right way.
