Skip to Main Content
Main Menu
Articles

Managing Compliance Confidently with Privacy Assessments

Annie Greenley-Giudici

Privacy Assessments Address a Broad Range of Compliance Requirements

No matter what industry you are in, your organization’s size, or your privacy program’s maturity, conducting regular privacy assessments is important to understand and ensure compliance.

Privacy assessments cover a wide range of legal requirements and best practices and will help build an action plan to identify gaps and define and manage remediation activities.

When assessments align with pertinent global privacy laws, they provide a structure for gathering information necessary to determine where your program is most successful and what gaps should be addressed.

These assessments can also help companies predict data privacy trends, assign resources appropriately, and resolve the right issues before a violation occurs.

Stakeholders participating in the process typically learn from the experience and become more engaged and educated about data privacy.

As a bonus, a historical record of assessment results can demonstrate a company’s progress along its privacy compliance journey.

Key Global Data Privacy Research Findings About Privacy Assessments

For the past three years, TrustArc has conducted a global state of privacy study to gauge organizational attitudes, actions, and the impact of data privacy management on business.

In the 2022 Global Privacy Benchmarks Report findings it’s evident that critical privacy program activities and teams are well established in organizations small to large across Europe and the U.S.

Feedback came from senior leadership inside the privacy office, privacy team members, and senior executives across 30 countries. Company size ranged from less than $50 million to over $5 billion in revenue.

Key Findings Include:

  • 26% use privacy audit assessments as the primary (and most popular) method for measuring their privacy programs.
  • 56% use Privacy Impact Assessment (PIAs) completion rates as a key performance indicator (KPI).
  • Privacy Impact Assessments were the least likely area to be completely implemented throughout the supply chain.

The Key to A Successful Privacy Program

The first phase in building a successful compliance program is to review and identify gaps compared with all applicable data privacy regulations and to develop a remediation plan.

Some laws you may want to consider include:

  • EU GDPR
  • California CCPA
  • HIPAA
  • Brazil LGPD

Conducting a systematic evaluation of how personally data is collected, used, shared, and maintained by your organization provides your team with the greatest opportunity to shape the evolution of its offerings with as few data privacy risks as possible.

Proven 5-Step Process for Privacy Assessments

Step One: Data Inventory

Conduct a data inventory through a serious of questions, identify any personally identifiable information collected or used in the product or processes you are assessing. Map those data flows from the point of collection, storage, and processing.

Include any resources involved in processing, retention, and deletion. Also, gather supporting documents such as requirements, specs, database schemas, and any third-party data protection agreements for your data inventory and mapping exercise.

Step Two: Risk Clarification

The data inventory is mapped to the relevant products, systems, and business processes and data elements are classified according to purpose, uses, and associated risk levels.

Using automated technology, websites and mobile apps are scanned for trackers and technologies and given a Privacy Sensitive Index score, as well as insights into personally identifiable information collection otherwise unknown.

Step Three: Policy & Practices Compliance Review

With expert help, analyze your stated privacy policies and data management practices alongside the applicable frameworks dependent on the nature and location of your organization.

This step includes a broad look at risk factors, including those introduced by service providers, vendors, and other third parties throughout your supply chain.

Step Four: Findings Report & Gap Analysis

From the compliance review you’ll receive a Findings Report & Gap Analysis outlining the full data lifecycle analysis and risk classification, and describing any gaps found versus the applicable frameworks and against industry best practices.

For each gap, TrustArc provides a recommended remediation measure, with required and best practice changes.

Step Five: Policy & Practices Change Guidance

Armed with our gap analysis and remediation recommendations, TrustArc can assist in the development of policies and training programs, provide sample language and templates, and validate remediation steps.

Privacy Risks Affecting Organizations

Findings from the 2022 Global Privacy Benchmark Survey reveal organizations still have much work to do when it comes to avoiding risk and minimizing violations.

In the past three years, the following percent of organizations surveyed suffered:

  • 34% data breaches
  • 27% large scale cybersecurity attacks
  • 25% regulatory investigations, actions or fines
  • 24% data privacy lawsuits from consumers
  • 21% adverse media scrutiny due to data privacy practices or breaches
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top