Conducting a Privacy Impact Assessment: A How-To Guide
Organizations face growing pressures to demonstrate proper stewardship of personal data they collect and process. An essential tool for identifying and addressing privacy risks is conducting a comprehensive privacy impact assessment (PIA). This post provides guidance on key steps to perform an effective PIA.
Catalog Personal Data and Systems
The starting point is documenting what personal information your organization handles and where it resides, including:
- Types of data collected from customers, employees and other parties (names, addresses, SSNs, health details, financial information etc.)
- Systems, applications, and databases used to store and process personal data
- Any paper records containing sensitive information
Expanding the scope beyond “customer PII” to include all data subjects and formats gives a complete view of privacy risks.
Map How Data Flows Through Your Organization
Next, trace how data enters your systems, where it travels, who accesses it and how it ultimately exits the organization. Identify:
- Points of data collection and sources
- Which systems and internal teams use, transmit or store data
- Any external parties like service providers or partners that access data
- How and when data gets deleted or archived
Understanding data flows highlights potential weak points like unnecessary access that could lead to breaches.
Classify Data and Define Protection Obligations
With flows mapped, classify data by sensitivity, based on the potential harm from unauthorized access or abuse. Common levels include:
- Public – Minimal harm if disclosed
- Internal – Moderate proprietary or financial damage if breached
- Confidential – Severe reputational, legal, financial damage if breached
Then identify specific legal and regulatory obligations tied to the data. These include contracting requirements as well as compliance mandates like HIPAA for health data or PCI DSS for payment card data.
Assess Current Risks and Controls
Analyze potential threats and vulnerabilities that put data at risk given its sensitivity levels and obligations, including:
- Cyber threats like malware, ransomware, insider and third party breaches
- System failures, outages or data corruption
- Improper access controls or retention policies
- Loss or theft of paper records and devices
Then review technical, administrative and physical controls in place to mitigate identified risks, like:
- Encryption, access controls, firewalls, backups and other cyber defenses
- Security policies, procedures and training
- Badge access to facilities, locked storage for records, etc.
Gaps between risks and controls define areas needing improvement.
Address Gaps and Explore Alternatives
Where controls fall short, develop plans to implement missing safeguards aligned to data sensitivity and risk. Also consider data minimization options like:
- Anonymizing or pseudonymizing data to remove direct identifiers
- Collecting/retaining less data or for shorter durations
- Using aggregated statistical data vs granular individual records
Balancing protection and minimization is key for managing privacy impacts.
Document Findings in a Privacy Impact Assessment Report
Document details from the assessment in a report, including data maps, classifications, risks, current controls, gaps, and plans for new controls and minimization.
Have a report formally approved by leadership to confirm commitment to acting on findings and maintain it as a living document requiring periodic updates as data, systems, regulations evolve.
Final Thoughts
As threats and regulations expand, sound privacy practices are a must. Conducting PIAs provides in-depth understanding of an organization’s data landscape. Cataloging data, tracing flows, classifying sensitivity, assessing controls, and exploring minimization techniques positions organizations to identify and address privacy gaps before incidents occur. Keeping PIA findings current through updates enables adapting to shifting risks over time.
Referenced Work
Conducting Privacy Impact Assessments. (2011, February 9). International Association of Privacy Professionals. https://iapp.org/resources/article/conducting-privacy-impact-assessments/
Guide to Privacy and Security of Electronic Health Information. (2015, April). Office for Civil Rights, United States Department of Health and Human Services. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. (2020, January 16). National Institute of Standards and Technology. https://www.nist.gov/privacy-framework
Privacy Impact Assessment (PIA). (2006, March). Center for Democracy and Technology. https://cdt.org/wp-content/uploads/2018/02/privacy-impact-assessment-final.pdf