Privacy Impact Assessments

Data privacy impact assessments (DPIAs) and other privacy risk assessments are essential exercises for identifying sources of privacy risk. With a healthy assessment process, you can identify when these risks can be mitigated, when they are unacceptably high, and when they are tolerable. Regular assessments of this type encourage privacy by design, as they force stakeholders to consider privacy risks before beginning a project or initiative.

Please note that we use the term privacy impact assessment to cover any assessment that identifies and quantifies privacy risk, such as GDPR-mandated DPIAs and the privacy impact assessments required under some U.S. laws.

Less Mature

At the least mature level, your organization may not be conducting privacy impact assessments at all—instead, you might only consider those privacy risks that are immediately apparent and may not take thorough steps to mitigate those risks.

Relevant stakeholders may not be alerted to privacy risks, and ultimately, your organization will launch initiatives that introduce unwarranted risks to personal data. This can result in privacy breaches and legal or reputational damage to the organization.

More Mature

In contrast, a mature privacy impact assessment process involves a systematic and comprehensive analysis when there is a high degree of privacy risk associated with all projects or initiatives that involve personal data processing. Your assessments will identify:

• What data will be collected.
• How it will be used.
• Where it will be stored.
• Who will have access to it.
• How it will be protected.

Important Note

You’ll involve stakeholders and subject matter experts in the process and mitigate identified privacy risks through the use of appropriate safeguards. Moreover, you’ll have a process in place to ensure the overall assessment workflow functions smoothly. 

That includes understanding how well your assessment identifies privacy risks and mitigation techniques, that it’s conducted at the right time and without unnecessary delays, and that stakeholders are consulted throughout the project lifecycle.

Recommended Next Steps

To further mature the privacy assessment process, consider whether you’ve taken the following actions:

• Develop or identify a standardized privacy impact assessment template that includes all relevant privacy risk assessment questions.
• Provide training to employees on the importance of privacy impact assessments and how to conduct them effectively.
• Implement pathways to embed templates in processes such as product reviews, legal sign-off, financial approvals, or pre-release QAs.
• Ensure you and/or relevant stakeholders have insight into all projects that involve the collection or processing of personal data to allow for triage and determination of whether a privacy impact assessment is applicable.
• Review and update assessments on a regular basis, particularly in response to changes in technology or the regulatory environment.
• Understand the legal requirements for conducting assessments, as they can vary by jurisdiction.
• Ensure assessments are conducted early in the development process and that they are reviewed and updated as necessary throughout the project lifecycle.
• Involve stakeholders from across the organization, including legal, security, engineering/product, IT, operations, finance, procurement, marketing, and HR, to ensure you can identify and address all privacy risks.
• Document the assessment process and the results, including any mitigating measures that were implemented.
• Log any risks and appropriate risk treatments as part of your risk management program.