Our world has quickly evolved into a highly technical and data-driven landscape, making the presence of personally identifiable information (PII) so much more abundant. The continued collection and use of PII makes it absolutely essential to protect the privacy of data within your organization. One specific way you can make progress towards enhancing your organization’s data privacy is through conducting Privacy Impact Assessments (PIA), an analysis of how an organization collects, uses, shares, and maintains personally identifiable information (PII). Privacy Impact Assessments support regulatory compliance requirements, and they extend beyond that--PIAs will help with identifying risks, uncovering gaps, strengthening existing privacy safeguards, and so much more.
Let's dive into all of the benefits of privacy impact assessments:
- Identifying Risks and Uncovering Gaps
Within the PIA process, you will be able to identify “weak spots,” or areas of risk, due to some varying potential issues such as inappropriate access controls, insecure technical provisions (firewalls, encryption, backups, etc.), or non-compliance with policies. By locating those pain-points, you can adequately address the issues and minimize the likelihood of a data breach. - Strengthening Safeguards
PIAs strengthen organizational safeguards by proactively identifying and addressing privacy and security risks before they result in harm. These assessments are intended to discover gaps and risks, prompting your organization to take a closer look at the safeguards that are currently in place, and enhance them to close or diminish the gaps and risks that are discovered. - Meeting Regulatory Requirements
Various regulations require the completion of Privacy Impact Assessments, such as the E-Government Act of 2002, Health Insurance Portability and Accountability Act (HIPAA), California Privacy Rights Act (CPRA), and other state-specific privacy laws. - Building Organizational Trust
Regularly conducting PIAs shows that appropriate attention is being given towards privacy compliance. Completing PIAs shows (in a small way) that as an organization, you care about the privacy of your employees and customers data which will, in turn, enhance organizational trust. - Diminishing the Unnecessary Collection of PII
Since PIAs are focused on analyzing the ways your organization collects and uses PII, it will give you a direct view of where PII is being collected and used. This provides your organization with an opportunity to locate situations where PII is being collected or stored, but doesn’t need to be.
This can also be used in relation to third-parties–this presents an opportunity to review what external entities have access to organizational PII and update this access as appropriate. - Implementing a “Privacy By Design” Approach
As the UMD Privacy Office, we love this. Conducting PIAs at the start of a new project encourages privacy considerations to be built into systems and processes from the start, rather than having to implement these after issues arise.
Before beginning the PIA process, you first need to consider who needs to be involved. Some common stakeholders would be the privacy and security teams, IT managers, legal teams, and project managers. Once you know who to involve, you can dig into the organization and completion of your PIA:
- Define your scope
Outline what you are assessing. Think of what types of PII are at risk of being affected by this project/process, then establish boundaries. - Identify and document data flows
Map out the data flows of PII. Think of entry points, storage locations, and methods of transmission. - Clarify data accuracy and usage
Understand how data is being processed, what the existing security measures are, and potential privacy risks. Inventory the people, vendors, and tools involved that access data. - Assess privacy risks
Analyze the data flow and evaluate the likelihood of exposure to privacy risks and understand the potential consequences. - Implement risk mitigation strategies
Review the identified risks and think of mitigation strategies. - Document final outcomes
If you have been involved in any regulatory audits or reviews, then you understand the importance of documentation. Make the auditors happy - document everything! - Review and update your PIA on a regular basis
PIAs should be completed during the implementation of a new project or process, but PIAs can also be used as a regular check-up on projects and/or processes to meet new regulations or requirements, or to simply review those projects and/or processes to find gaps in privacy. Regularly reviewing and updating your PIA can help you to continuously enhance security, as well as to remain compliant with changing regulations.
Privacy isn’t a one-time initiative, it is an ongoing responsibility that needs to be recognized and addressed at a fundamental level. By implementing Privacy Impact Assessments into new and existing projects, your organization takes a proactive approach to identifying risks, minimizing unnecessary data collection, strengthening safeguards, and maintaining compliance in an evolving regulatory landscape, and ensures that privacy considerations are embedded into systems and processes from the start. While all of those benefits are substantial, the most important result of regularly completing PIAs is that it demonstrates a meaningful commitment to protecting the personal information entrusted to your organization and fosters a culture of accountability and trust.
At UMD
The Privacy Office wants to help your project succeed while still protecting the privacy of the university community. If you are in the process of implementing or planning a new project and are interested in having a privacy impact assessment done, please fill out this form: Privacy Impact Assessment Request Form.