TrustArc Blog

Privacy Impact Assessments: Creating a Data Map

January 27, 2015

This post is part 3 of a 4 part series about Privacy Impact Assessments (PIAs) that we will be posting weekly.

Privacy officers, executives and project managers all benefit from PIA insights to ensure the privacy practices at their organizations are ethical and safe.

There are a total of six steps when conducting a PIA. Our previous posts focused on the value of PIAs for organizations and the initial steps needed to conduct a PIA. The next steps focus on asking more detailed privacy questions and taking a deeper dive into a company’s privacy practices.

The second step of a PIA is to describe the information flows, also called data mapping.

Using a data map, organizations can ensure executives – in addition to the privacy team – know how data flows through their organization. Many privacy teams already know this information and have detailed data flow maps and system diagrams, which can make this step a quick one. By examining the data map, those conducting the PIA can focus on how data flows into, through and out of an organization – and possibly identify any gaps where data is not protected.

Data mapping also precisely answers why data is collected, where it’s stored, who can access it and other important questions.

The third step of a PIA is to identify and assess privacy-related risks. After creating the data map it can become easier to identify where potential risks in the data collection process are for the organization being assessed. There are a number of ways to identify these risks by examining where notice and choice to an individual is not adequate, when security controls are insufficient, and when data quality is compromised, to name a few. This step helps the group conducting the PIA explain to executives and stakeholders the exact privacy risks that organization could face.

SEE ALSO: Starting a Privacy Impact Assessment 

Assembling the right PIA team is essential to conducting a successful assessment. Some of the members a PIA team should include are:

  • An executive responsible for the budget for the PIA – perhaps the CPO, CEO or CIO.
  • Privacy office staff to lead the effort and track daily progress.
  • Product managers, IT managers, marketing managers.
  • Members of the company’s legal team who have knowledge of data privacy.
  • External privacy consultants to offer outside perspective and help ensure compliance.

Setting up a PIA will vary from company to company depending on the size of the organization and how the company captures and uses data.

Tell us about your experience with the PIA process in the comments below.

 To read TRUSTe’s Whitepaper, “A Guide for Structuring and Implementing PIAs” click here.

 


Subscribe to Blog