Privacy Impact Assessments
This week, we’re discussing privacy impact assessments (PIAs) and how they can help your business achieve better privacy outcomes and build a strong culture of privacy.
What are Privacy Impact Assessments (PIAs)?
A PIA is a tool your business can use to assess the impact a new or amended project will have on data subjects, including customers, prospects, employees, and consultants. They are used to identify what personal data is being collected and how it is used, stored, accessed, and shared; as well as the likely impact of that use. In turn, this can assist in strategic decision making and mitigating privacy risk, as well as in the identification of opportunities for improved information management.
In some situations, PIAs must be undertaken. For instance, controllers must undertake a data privacy impact assessment under Article 35 of the GDPR if they intend to process data that poses a high risk to personal privacy rights.
But PIAs are often beneficial even when they aren’t legally required.
When should you undertake a Privacy Impact Assessment?
Ideally, your business should undertake a PIA any time you begin collecting, storing, transferring, accessing, or otherwise using personal data in a manner that hasn’t been contemplated in a past PIA.
The time resources and financial investment required to undertake a PIA correlates with the likely level of privacy risk. In cases where there is very little privacy risk, a PIA will be straightforward. Where the risk is more significant, the PIA will be more complex, time consuming, and more expensive. Given that privacy risk can lead to compliance issues, privacy breaches, and reputational damage, the benefits of performing a PIA tend to outweigh any drawbacks.
You should consider undertaking a PIA as early as possible in a project’s timeline. If you contemplate the potential privacy risk early, you can make privacy-centric decisions throughout, instead of relying on band-aid solutions later on. In doing so, you encourage all stakeholders to consider the impact their decisions can make on privacy – which promotes informed decision making and strengthens your internal culture of privacy.
How to undertake a PIA
A relatively straightforward PIA can be performed by anyone in your organization with some privacy familiarity. This template prepared by the Information Privacy Commissioner of Ontario, Canada provides a useful framework and outline. Of course, you should always be sure to check the laws for your jurisdiction – there can be important differences from one jurisdiction to another in things like what types of information is considered “personal information” or what rights individuals have with respect to their data.
Where a project entails more complicated collection and handling of personal data or if you’re not able to effectively map data flows to, from, and within your company, you should seek help from an experienced privacy consultant or attorney.
If you need assistance building a culture of privacy at your company, reach out. We’re here to help!
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.