A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained across the organization and externally
Along with all the other acronyms concerning privacy, PII (Personally Identifiable Information), GDPR (General Data Protection Regulation), DPO (Data Protection Officer), COPPA, (Children’s Online Privacy Protection Act), and many others, another one has emerged: PIA (Privacy Impact Assessment) . PIAs will become very important in the next few years, so an examination of one of the latest data privacy tools is important for all those who use and manage data.
Basics of a Privacy Impact Assessment
What is a Privacy Impact Assessment? A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. Why do it? If an organization needs to comply with the GDPR, a PIA will demonstrate that program managers and system owners consciously have incorporated privacy protections throughout the development life cycle of a system or program. Since one of the stipulations of the GDPR is a requirement that the design of systems and processes are required to have the principles of data protection “built-in” from the beginning of a project, doing a PIA becomes a necessity rather than a “nice to have.”
Even organizations that do not do business with Europe nor have any data stored in the EU should consider doing this assessment. With all the uproar over data protection and individual privacy, a PIA can reveal where a company has weaknesses when it comes to protecting the personal data it collects, stores, and uses. No corporation should indiscriminately collect personal data or hold it indefinitely. Processes must be established to collect data only for a specific purpose, to inform the individual of the reason for collection, and, to have a procedure for safely deleting the data when it has served its purpose. These processes can be legally and financially important in case of data breach, because they demonstrate that the organization has shown due diligence when it comes to data protection. As has been demonstrated with organizations such as Target, Home Depot, Equifax, etc.… the impact on an organization’s reputation for not establishing effective data management that protects personal data can have significant financial consequences because the public reacts strongly to any loss of privacy data.
Figure 1: Data Classifications Types
How can an organization know if the data it collects now is sensitive or protected data? Many organizations use a method of having three classifications of data. The first is Public Data, which is any data that will not harm an organization if disclosed internally, either intentionally to or to the public, or if there is a breach of the data. Typically, this is data that anyone within the organization has access to use.
The second classification is Confidential Data; this is data that is available only to authorized users within a department such as HR or Legal. Examples are information such as date of birth, number of dependents, education, employee address, names of relatives and salary.
The third classification is Restricted Data and includes financial information, medical records, religious affiliation, ethnic origin and any government issued identification such as social security number, driver’s license number, passport number or employee tax identification number. Restricted Data is also any data that could cause financial, legal, regulatory or reputational damage if disclosed or compromised. One tricky thing about classifying data is that some parts of data might be considered Confidential or Restricted, while similar data is Public. For example, a retailer might want the addresses and phone numbers of its managers and salesmen to be public while the rest of the employee’s data is restricted and should be masked even when using it for testing purposes within the company.
Privacy Impact Assessment Process
Figure 2: Performing a Privacy Impact Assessment
Doing a PIA is not a trivial task since it involves not only identifying and classifying personal data but determining how the data will flow through business processes and technology, whether the data is being changed, if it will be shared with a third-party such as a vendor, and how and when the data will be deleted. A third-party should have the same privacy practices as the source organization and provide agreements that bind them to protect the personal information collected when it is in their custody. Ideally, the Data Governance officers should be involved in the RFP but they seldom are included. At the very least, any vendor should be required to follow the organization’s standards. Some questions that should be asked include ascertaining if the vendor has data management and data governance. Do they have a data model and will they share this information? What are the vendor’s security procedures, do they have a data security team and how do they handle outside threats?
PIAs should be started early in project development or design and the results should be considered throughout the lifecycle. Just as with Data Quality or Data Governance initiatives, it is faster, easier and more cost-effective to address privacy on a proactive basis rather than try to retrofit privacy protection once a process has been implemented and there is a fear of disrupting production.
Ideally, all organizations should create an information flow or repository to identify the personal data collected with these points to consider:
- Source of the information
- Who collected the information, the method and purpose
- Who is authorized to use the data
- Format of the information
- Security controls during any information transfer
- Location of the storage retention site
- The data disposal schedule
Many departments or divisions within an organization are involved in a PIA. Data Architects and Modelers should be able to identify personal data at the beginning of a project; however, PII is a legal concept, not a technical one, and developers are not always equipped to identify sensitive data and their controls.
While it is the responsibility of every employee to protect properly the personal data entrusted to their organization, Data Governance should develop rules and processes to decide how personal data is used both inside and outside the business. Partnering with the Legal, Compliance, and Risk areas, they should identify how many people have access to sensitive data, for what purpose do they have access and who can legally give internal users that access authority. Since Data Governance is often the group that manages the data profiling, they can determine where privacy data is stored in legacy databases and look for potential non-compliance instances against current data protection legislation.
In summary, here are some questions to answer when preparing and conducing a PIA assessment:
- Do you have the appropriate legal authority to collect personal data?
- Have you received consent from your customers to use their data?
- Are you using out-of-date or irrelevant personal data to make decisions?
- Are you disclosing data to third-parties that are not authorized or who do not keep personal data appropriately secure?
- Do you have processes in place to dispose of privacy data after use?
Many U.S. government agencies have started Privacy Impact Assessments of the data they collect and hold. These include the Department of Homeland Security, FEMA, the Federal Trade Commission, Health and Human Services, and the Department of Education. If Congress takes guidance from these governmental departments, it may not be too long before we have some type of federal “GDPR” regulation in the U.S. Organizations can be one step ahead by protecting personal data now rather than when it is mandated by designing and performing PIAs.