TrustArc Blog

Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment

January 13, 2015

This post is part 1 of a 4 part series about Privacy Impact Assessments (PIAs) that we will be posting weekly. 

The importance of privacy will only grow over time. The amount of connected devices is increasing exponentially – and with that, so is the amount of personal data flowing on the Internet ­– possibly exposing people to risk.

The Privacy Impact Assessment, commonly known as a PIA, is a process for identifying, assessing and mitigating privacy risk for a specific product, service or system. The PIA serves to help companies see where they stand in terms of privacy practices, thereby also helping companies protect consumers’ personal data.

Big data presents a lot of commercial opportunities for businesses, but that data must be mined safely. A number of high-profile companies have made headlines for privacy breaches, and although it’s possible to recover, it can be a long and slow process.

Business of all sizes should conduct a PIA. For companies that want to be around for the long term, privacy is no longer an option.

When talking about data collection, our thoughts quickly turn to privacy concerns. TRUSTe has conducted numerous surveys asking people about their thoughts regarding smart technology, connected devices, and privacy issues. It’s clear from our surveys that consumers are concerned about privacy, and businesses need to assuage those concerns. According to our surveys:

  • Only 14% of consumers said they were comfortable sharing personal data from their smart devices with ad companies.
  • 89% of US Internet users say they avoid companies that do not protect their privacy.
  • 87% of smart device users say they’re concerned about personal information being collected and used in ways they were unaware of.

A company’s privacy team is responsible for ensuring that the organization uses personal data ethically and in a way that’s consistent with the company’s privacy policy.

The main lessons for businesses handling personal data are: 1) to be as transparent as possible to customers when providing notice about how they are using that data; and 2) to provide customers with choice(s) and control over how their personal data is used.

Examples of personal data include contact information, social security numbers, driver’s licenses, financial account information, individually identifiable health information, log-in credentials, device IDs, browsing habits and personal preferences. There are an increasing number of channels from which to collect this data in order to offer targeting ads. Many businesses collect data without even thinking about it. Nevertheless, companies have a responsibility to be aware that they are collecting this information and have the obligation to protect it.

Some other things to discuss before embarking on the PIA process are: 1) budget, 2) timeframe, and 3) resources. It’s important to agree on a budget and have the team conducting the PIA clarify expenses that will be incurred throughout this process. These expenses typically include things like consulting fees, tools to automate the assessment process and cost of having company employees briefly focusing on the PIA and spending time away from their regular duties.

For start-ups in particular, employees sometimes abandon the process to put-out fires and launch other projects. It’s essential for all companies to set realistic timeframes and schedule regular meetings.

It’s also important that the privacy office and staff have an adequate number of employees to support the PIA process, which can involve cross-department support on occasion.

The following posts will cover the six steps of a PIA, implementing the PIA and other PIA considerations.

Has your company conducted a PIA? What value did it offer?

To read TRUSTe’s Whitepaper, “A Guide for Structuring and Implementing PIAs” click here.