Who are you disclosing data to?
If you can’t answer that question, it’s a problem for your customers.
Your customers trust you with sensitive data. Names, email addresses, birthdays, social security numbers, health information, and more. They expect it to remain private.
But can you assure them of that?
A well-implemented privacy program is a critical business operation. Does yours meet the bar set by the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA)?
Here are some questions to consider:
If your business collects personal information, you have an obligation to protect their privacy. To do that, you need to make it more than a one-time project.
Building a privacy-forward culture at your business starts with identifying privacy risk throughout the lifecycle of data. Your team needs a big-picture view of data flows and the privacy risks that arise from all your business activities, from major launches to customer interactions. And it all needs to be brought under the context of legal and regulatory requirements.
Sound like a big job? If you build privacy into the foundation of your products and services and your business processes from the start, you’ll be ten miles ahead of the game.
If you don’t, you’ll struggle to make it to the finish line when compliance becomes a requirement, not just best practice.
It’s not as hard as you think it is to get to where you need to be. We’ll get it done together.
Gap and Maturity Analysis
Who doesn’t love an online quiz? Our questionnaire assesses where you’re at with current privacy laws, regulations, and best practices. We take that information and use it to create a detailed assessment that includes high-priority recommendations and a privacy program evaluation.
Data inventory – this is the big one. It’s mission-critical to GDPR and other compliance efforts like complying with CCPA to have a fully comprehensive data inventory.
This can be a challenge, especially if you’ve been in business for years and have data spread across different systems and platforms.
Through our data inventory process, we track down the information you’ve collected. We figure out the data is stored and used, all with the goal of establishing your data flow. (And let’s not forget the “why” of your data collection – we always look to articulate the purpose behind the information.) Our findings play a big role in developing your privacy notice and individual rights process and policy. After all, there’s no way to create these documents without knowing everything about the data you already have.
You’ll also end up with a better understanding of what data you need – or don’t need – to be collecting in the first place. Collecting and storing data that isn’t being used poses a risk to all companies.
Our data inventories incorporate Article 30 reports when needed, including all of your identified third-party vendors and their systems.
Once the Gap & Maturity Analysis has been run and once the data inventory is complete, you have options for what comes next.
Crafting your policies and informing individuals about them can be tricky. We help you read between the lines to create and/or update your privacy notices, information governance, and security policies. For cookies, we evaluate your vendors to assess and establish risk and help you implement your chosen cookie consent tool.
Looking for a DIY approach? We provide customizable templates for privacy notices and cookie banners.
Who are you working with? Are your management processes appropriate for your relationship?
We help you analyze and update your strategies for new and existing vendors, including vendor assessments, Data Protection Addendums, or vendor agreements.
Are third-party privacy technology vendors part of your plan? We’ll assess your vendors and walk you through building a roster of data management and consent tools and establish plans for reporting processing activities, data security, and more.
Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. We assess, develop, implement, and maintain data privacy strategies for clients that bring results without the substantial expense of hiring in-house.
Our Privacy Risk Assessment creates a holistic view of how your business collects, uses, and shares personal information.
Everyone wins. You get insight into your current practices so you can minimize privacy risks. Your team gets the resources to shape products and services for successful business outcomes. Your customers get assurance that you’re doing things the right way.
What are Privacy Impact Assessments (PIAs)?
PIAs are the assessments we use to help companies identify and assess privacy risks throughout the development life cycle of a program of a system.
But what does that actually mean?
When we’re doing a PIA, we figure out what personal information is being 1) collected, 2) used, 3) shared, 4) and stored. With that information, we help you figure out what risks are present and how you can protect against them when you’re processing this data.
Let’s get a little more specific, though. When we do a PIA, we look at the following issues:
- Does the personal information that is collected comply with privacy-related regulatory requirements?
- What are your specific risks when collecting, storing, and sharing that information?
- How can you better protect and process information to avoid privacy risks?
- What are your options for getting consent from customers for collecting their personal information?
Wait, what’s considered personal information?
Personal information is any – repeat, any! – data that could possibly be used to identify and individual. That can include, but isn’t limited to, your full name, Social Security number, driver’s license number, bank account number, passport number, or email address. It can also include biometric data, personal characteristics like fingerprints or handwriting, or IP addresses. In fact, much of the data that is part of our digital lives today is comprised of personal information.
When are privacy impact assessments needed?
Article 35 of the GDPR mandates that data controllers conduct a DPIA in certain circumstances. Failing to produce evidence of conducting a DPIA when called upon could lead to huge fines. The GDPR requires a DPIA to happen before processing any data when the processing activity “is likely to result in a high risk to the rights and freedoms of natural persons.”
Legislators didn't provide an exhaustive list of examples of when this might happen. Article 35(3) lists three examples of types of processing that automatically requires a DPIA
- Systematic and extensive profiling with significant effects
- Large scale use of sensitive data
- Public monitoring
Individual countries have created additional guidelines to help interpret Article 35 of GDPR. For example, the Information Commissioner’s Office (ICO), the Data Protection Authority in the UK, has published a list under Article 35(4) that offers ten further examples of high-risk processing.
- Innovative technology
- Denial of service
- Large scale profiling
- Genetic data
- Data matching
- Invisible processing
- Targeting of children or other vulnerable individuals
- Risk of physical harm
Why should I do a privacy risk assessment?
Businesses that do privacy impact assessments have some significant advantages over those that don’t do them. There are the obvious reasons to do them if you fall under the mandate of the EU’s General Data Protection Regulation (GDPR) or the California Consumer Protection Act (CCPA). Not complying means risking substantial fines and legal penalties.
But what if you’re not impacted by GDPR or CCPA? (Or what if you are, but fines and penalties aren’t enough motivation?)
Lots of companies aren’t required to comply with GDPR or CCPA and broad information assurance framework certifications aren’t a strict necessity for them. But stepping out ahead of requirements puts your business in the best possible position to adopt new privacy laws as they come. (And they will eventually come.) This means no scrambling, last-minute efforts to avoid costly fixes. This means securing your data now, not patching it up later. Determining what to disclose in a privacy notice now, not later. Creating transparency for your customers now, not later.
It also will build privacy into your company as a core value. When you undertake a thorough risk analysis, you’ll be able to demonstrate to your employees, stakeholders, and customers that you take privacy seriously.
What are the benefits of a privacy risk assessment?
Privacy risk assessments are a huge asset for any business or organization that wants to understand where their data is vulnerable. By conducting a privacy risk assessment, you develop the tools you need to detect privacy issues now and down the road. It’s always better to address problems before they arise rather than cleaning up the aftermath of a catastrophe.
Privacy risk assessments also help you ask some important questions internally? What information do you need to disclose? How are you communicating with your customers about their options for disclosing personal information? Does your data collection align with your business strategy? How does it sync up with your company values?
Undertaking a privacy risk assessment now also demonstrates to your staff, stakeholders, customers, and the public that your business takes privacy risks seriously. This facilitates trust internally and externally and helps everyone involved make better, more informed decisions.
These are just the reputational benefits. Fiscally, addressing privacy risks head-on prevents massive losses. The average cost of a data breach is $3.92 million. Most of this cost stems from the loss of business, which can last well beyond the initial impact and cleanup. According to data from 2019, 67% of costs associated with data breaches occurred in the first year, but 22% followed in the next year, and 11% the year after.
Not surprisingly, most Americans don’t trust companies with their data. According to a 2019 Pew Research Center study, 62% of Americans don't think it's possible to avoid data collection. 79% of them are concerned about how the data is being used. The trust gap is significant. However, by taking steps early on to create a business culture focused on privacy, you can demonstrate to your customers that you take their concerns seriously.