TrustArc Blog

Starting a Privacy Impact Assessment

January 20, 2015

This post is part 2 of a 4 part series about Privacy Impact Assessments (PIAs) that we will be posting weekly. 

Not too long ago privacy was an after-thought; something that most customers and companies weren’t overly concerned about. Now, most consumer concerns around connected devices include privacy breaches and unauthorized information gathering. Many companies have ramped-up their privacy department from one person to an entire staff to ensure consumer data is collected in a safe and transparent way, while mitigating risk for the organization.

Conducting a PIA is a great way for a company to evaluate its privacy practices and pinpoint any weak areas. The purpose of a PIA is to evaluate an organization’s awareness of how it handles consumer and employee information, and allow companies to mitigate risk and monitor privacy risks throughout the development and growth of a company and its products.

The first step in the PIA process is to identify the need for a PIA with a Privacy Threshold Analysis (PTA). First, conduct an assessment of each business asset and the privacy concerns surrounding those assets in order to determine the potential privacy impact. The questions in the PTA are high-level and the answers will determine which assets collect data in a way that needs further analysis. At this point, a company’s privacy team will fill-out a PIA questionnaire, which asks more specific questions regarding the nature of data collection and other data practices. This initial process helps determine the scope of the PIA.

Answers to the PIA assessments must analyze areas pertaining to the collection of personal data including the nature of sources of the information being collected, the intended use of the personal information collected, if that information is shared with any third parties and what is the mechanism for individuals to grant their consent, among others.

SEE ALSO: Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment 

While this first step may seem obvious, it’s an essential part of the PIA analysis. Meticulously examining high-level privacy practices from the very start of this process will ensure accuracy of the PIA. Going forward, the PIA will take a deeper dive into a company’s privacy practices.

How much time and resources does your organization spend considering and reviewing privacy practices?

To read TRUSTe’s Whitepaper, “A Guide for Structuring and Implementing PIAs” click here.