Privacy Risk Assessment

PIAs are the assessments we use to help companies identify and assess privacy risks throughout the development life cycle of a program of a system.

But what does that actually mean?

When we’re doing a PIA, we figure out what personal information is being 1) collected, 2) used, 3) shared, 4) and stored. With that information, we help you figure out what risks are present and how you can protect against them when you’re processing this data.

Let’s get a little more specific, though. When we do a PIA, we look at the following issues:

• Does the personal information that is collected comply with privacy-related regulatory requirements?
• What are your specific risks when collecting, storing, and sharing that information?
• How can you better protect and process information to avoid privacy risks?
• What are your options for getting consent from customers for collecting their personal information?

Wait, what’s considered personal information?

Personal information is any – repeat, any! – data that could possibly be used to identify and individual. That can include, but isn’t limited to, your full name, Social Security number, driver’s license number, bank account number, passport number, or email address. It can also include biometric data, personal characteristics like fingerprints or handwriting, or IP addresses. In fact, much of the data that is part of our digital lives today is comprised of personal information.

Article 35 of the GDPR mandates that data controllers conduct a DPIA in certain circumstances. Failing to produce evidence of conducting a DPIA when called upon could lead to huge fines. The GDPR requires a DPIA to happen before processing any data when the processing activity “is likely to result in a high risk to the rights and freedoms of natural persons.”

Legislators didn't provide an exhaustive list of examples of when this might happen. Article 35(3) lists three examples of types of processing that automatically requires a DPIA

• Systematic and extensive profiling with significant effects
• Large scale use of sensitive data
• Public monitoring

Individual countries have created additional guidelines to help interpret Article 35 of GDPR. For example, the Information Commissioner’s Office (ICO), the Data Protection Authority in the UK, has published a list under Article 35(4) that offers ten further examples of high-risk processing.

1. Innovative technology
2. Denial of service
3. Large scale profiling
4. Biometrics
5. Genetic data
6. Data matching
7. Invisible processing
8. Tracking
9. Targeting of children or other vulnerable individuals
10. Risk of physical harm

Businesses that do privacy impact assessments have some significant advantages over those that don’t do them. There are the obvious reasons to do them if you fall under the mandate of the EU’s General Data Protection Regulation (GDPR) or the California Consumer Protection Act (CCPA). Not complying means risking substantial fines and legal penalties.

But what if you’re not impacted by GDPR or CCPA? (Or what if you are, but fines and penalties aren’t enough motivation?)

Lots of companies aren’t required to comply with GDPR or CCPA and broad information assurance framework certifications aren’t a strict necessity for them. But stepping out ahead of requirements puts your business in the best possible position to adopt new privacy laws as they come. (And they will eventually come.) This means no scrambling, last-minute efforts to avoid costly fixes. This means securing your data now, not patching it up later. Determining what to disclose in a privacy notice now, not later. Creating transparency for your customers now, not later.

It also will build privacy into your company as a core value. When you undertake a thorough risk analysis, you’ll be able to demonstrate to your employees, stakeholders, and customers that you take privacy seriously.

Privacy risk assessments are a huge asset for any business or organization that wants to understand where their data is vulnerable. By conducting a privacy risk assessment, you develop the tools you need to detect privacy issues now and down the road. It’s always better to address problems before they arise rather than cleaning up the aftermath of a catastrophe. 

Privacy risk assessments also help you ask some important questions internally? What information do you need to disclose? How are you communicating with your customers about their options for disclosing personal information? Does your data collection align with your business strategy? How does it sync up with your company values?

Undertaking a privacy risk assessment now also demonstrates to your staff, stakeholders, customers, and the public that your business takes privacy risks seriously. This facilitates trust internally and externally and helps everyone involved make better, more informed decisions.

These are just the reputational benefits. Fiscally, addressing privacy risks head-on prevents massive losses. The average cost of a data breach is $3.92 million. Most of this cost stems from the loss of business, which can last well beyond the initial impact and cleanup. According to data from 2019, 67% of costs associated with data breaches occurred in the first year, but 22% followed in the next year, and 11% the year after.

Not surprisingly, most Americans don’t trust companies with their data. According to a 2019 Pew Research Center study, 62% of Americans don't think it's possible to avoid data collection. 79% of them are concerned about how the data is being used. The trust gap is significant. However, by taking steps early on to create a business culture focused on privacy, you can demonstrate to your customers that you take their concerns seriously.