Privacy Impact Assessments – Practical Considerations
This is the first of a multi-article series focused on privacy impact assessments. This first article provides an overview of privacy impact assessments, the existing and pending privacy laws which require privacy impact assessments, and how privacy impact assessments are used in practice from a proactive perspective. The second article will focus on data protection impact assessments pursuant to Article 35 of the European Union’s General Data Protection Regulation (GDPR). The third article will focus on similar assessments required under U.S. State laws set to go live in 2023 including the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (VCDPA), and the Colorado Privacy Right Act (CPA). The fourth and final article will provide best practices on building a global privacy impact assessment process.
Privacy Impact Assessment as a measure to promote privacy by design
One of the best ways to promote privacy by design within an organization is to implement a proactive Privacy Impact Assessment (PIA) process. The goal of the proactive PIA process is to identify privacy risks during the requirements gathering phase of a project or product development. That is, to be proactive, the privacy team meets with the product development team early in the development or build phase within a define development lifecycle to understand more about their contemplated product launch or product enhancements. Areas of focus in the PIA may include items such as a) new personal information collected, b) opportunities for data minimization, c) anticipated retention periods, d) criterion which may drive the need to obtain consent from the consumer e) technical and security safeguards utilized.
For smaller organizations, we’ve observed success by meeting with the product development teams on a quarterly basis to review upcoming development initiatives and then based on the team’s description of the initiative, if needed, the privacy office will work with the product developer to complete a PIA.
The completion of the proactive PIA places the privacy office on the front-end of the development lifecycle. The due diligence gathered during the PIA process and resulting feedback provided by the privacy office to the product development team, in turn, leads to effective privacy by design. This method also prevents the privacy office from learning of privacy risks after the product or service is already launched.
Implementing a Target Operating Model
The implementation of PIAs, Data Protection Impact Assessments (DPIAs), and similar assessments are best accompanied by the adoption of a target operating model. A target operating model is critical to managing assessments proactively and instilling privacy by design. For the target operating model, envision a process flow diagram that visually depicts when different assessments are to be completed. For example, the target operating model may include the following decision points:
- Privacy office holds quarterly meeting with the product development team resulting in the privacy office requesting a PIA to be completed on a new initiative
- PIA is completed, feedback is provided from privacy office to product development team and PIA is approved by privacy office.
- The new initiative is determined to be “high risk” and thus the privacy office requests a formal data protection impact assessment (DPIA) for regulatory compliance. The privacy office and product development team work together to complete the DPIA and the findings of which are tracked through to remediation.
- New processing activities and/or assets needed to support the initiative are then added to the data inventory, data map or register of processing activities.
Target operating models are also incredibility important for establishing repeatable processes. The more assessments an organization attempts to implement, the more important a target operating model becomes. It is not uncommon for our clients to implement the following assessments a) third party due diligence for new vendors, b) PIAs, c) DPIAs, d) processing activity assessments and e) asset assessments. The key to developing a target operating model is to first define the use case for each sequence. For example, a new vendor, existing vendor, new initiative, or existing asset may each require different sequences of assessment work. Target operating models do not necessarily need to be linear and can have multiple entry points. Given the target operating model will usually encompass some existing workflows along with newly implemented workflows, we find target operating models to be unique to each organization.
Common privacy and risk management software and tools allow for us to streamline assessment and structure them in a manner whereby if we ask a question in an assessment related to third party due diligence for new vendors, we can pull that same response into further downstream assessments, removing the need for the privacy office to asks the same question twice which in turn reduced friction with the respondents.
In a subsequent article, we will focus on Data Protection Impact Assessments (DPIAs) as means to comply with regulatory obligations. For example under the GDPR Article 35, organizations may need to conduct DPIAs on high-risk processing operations. Such regulatory DPIAs include very specific requirements.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.