Privacy Impact Assessment (PIA): Dos and Don’ts
In a nutshell, a privacy impact assessment (PIA) is a tool used to identify and assess privacy risks through a system or program’s development life cycle. A privacy impact assessment will also indicate the personally identifiable information (PII) collected, how the information is maintained, and how it will be collected and shared.
In essence, a privacy impact assessment should identify the following:
- Whether information being collected is compliant with privacy-related regulatory compliance and legal requirements.
- The effects and risks of collecting, disseminating, and maintaining personally identifiable information.
- Processes and protections for handling information so any potential privacy risk is avoided.
- Methods and options for individuals to provide consent for personally identifiable information collected.
PIA Dos and Don’ts
For those who are tasked to create privacy programs and assessments, it is important to know that you need more than just data protection tools to create a good PIA. To help get your efforts off to a good start, below are some of the dos and don’ts you need to keep in mind:
There is no denying conducting a PIA is a beneficial tool for preparing mitigation strategies and identifying privacy risks. However, starting a PIA at the outset of program development is recommended to get the maximum benefits of the process. Also, when privacy risks are identified early, it will be easier to integrate mitigation strategies in the activity or program’s design.
Take into consideration the scope
Some PIAs don’t identify and assess privacy risks adequately because the scope of what needs to be assessed is not defined clearly at the very beginning. In line with this, it is important that the PIA clearly describes what is being assessed and the data flow diagram indicated in the report is congruent with the scope.
Keep it up-to-date
As initiatives are implemented and as they evolve, be open to the idea of dealing with new privacy risks that might arise. That being said, ensure your PIAs are updated as needed so it stays current and will be able to effectively address any new risks that might develop. If an initiative or program will require significant revisions, an addendum to the original PIA or a new one should be created.
Do it alone
During the creation of the PIA process, it is crucial to consider how the product, program, or initiative can impact others. Consulting with stakeholders outside and within the organisation can help warrant all risks to privacy are clearly identified.
The privacy experts within an organisation should be considered valuable partners as they can give recommendations on privacy issues as well as the international and national privacy standards that should be taken into consideration.
Forget to put the plan into action
The PIA makes early identification of privacy risks possible. However, for it to be effective, the mitigation measures identified in the PIA report need to be implemented and monitored. Ideally, PIAs should also have detailed action plans for proposed mitigation measures.
This should include target completion dates, timelines, as well as a specific person to implement said measures. In addition, action plans should be referred to consistently to warrant mitigation measures are implemented according to schedule and all the privacy risks identified are addressed accordingly.
Forget to do some research
Nowadays, there are trusted organisations and resources online that can provide guidance on various privacy issues like cloud computing, mobile apps, biometrics, etc. These experts and resources can be very beneficial throughout the PIA process.
Also, regardless if you’re a seasoned veteran of the process or still finding your way around, it is likely that you’ll encounter new and complex issues during the development of the PIA. In line with this, don’t think twice about getting expert help so potential privacy issues can be accurately identified and addressed appropriately.