PRIVACY IMPACT ASSESSMENT
Ensure new projects comply with the law while meeting community expectations. A privacy impact assessment guides your organization on how to manage privacy risks and make new activities legally compliant, providing practical recommendations on safeguarding personal information. Increasingly a PIA is a requirement to demonstrate lawful handling of personal information.
A privacy impact assessment (PIA) or a data protection impact assessment (DPIA) is a systematic audit-style process designed to identify risks and recommend steps to minimize those risks. PIAs are an important tool for ensuring new activities are built with data privacy in mind - both compliance with privacy laws and best practices that leave your customers and stakeholders feeling valued.
This is often known as ‘privacy by design’. Our PIAs and DPIAs come with actionable recommendations for remedying problem areas and embedding data privacy considerations directly into the design of projects at an early stage. It’s always cheaper and easier to bake-in privacy from the start instead of bolting it on later.
When and how should a PIA or DPIA be done?
If there is a new project or some novel or changed approach to the way you are handling personal information, (including using a new vendor or deploying some new process) then the first thing is to consider is whether it poses a significant risk for individual privacy and by extension to your organization. This is the threshold assessment. If the answer from the threshold assessment is that there is a significant risk, a PIA/DPIA should be undertaken early enough in the project, or in advance of the change, so that its findings can influence the overall design of the initiative.
A PIA will often include a data flow analysis which maps out how the relevant personal data flows through your organization as a result of the initiative or change. We will gather information from stakeholders and, where it is efficient, we will use questionnaires to be completed by the personnel involved to bring to light the details of change in personal information handling and identify risks.
In summary, in the world of data, the devil really is in the detail. What can appear innocuous or even innovative to an online marketer or database engineer can be a red flag to a Waltzer privacy professional versed in the legal frameworks and the history of data breaches.