Organizations that deal with personally identifiable information (PII) are increasingly aware of new privacy regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). But for those that are not yet directly impacted by existing legislation, the question is often, “What should we do about privacy?”
In the absence of a compelling business reason to comply with a privacy mandate, or to achieve certification against a broader information assurance framework like ISO 27001, the answer is often “Do nothing.” But that puts a company in a poor position to deal with new privacy laws, which are certainly coming in some form. And those that are slow to comply may face sanctions, lose customers, suffer reputational damage or all the above.
The First Step: a PIA or DPIA
One proactive and practical “first step” that offers a wealth of useful guidance, represents good practice towards planning new privacy controls and entails a significantly smaller scope than GDPR compliance or ISO 27001 certification is a Privacy Impact Assessment (PIA). The GDPR actually mandates this for some organizations and calls it a Data Protection Impact Assessment (DPIA).
- PII – A PIA or DPIA tells you how your business collects, uses, manages and shares PII (Personally Identifiable Information).
- Evaluate risks – It greatly helps organizations to identify and evaluate privacy risks associated with their data processing activities.
- Get your answers ready – Further, it answers most if not all of the questions that clients, vendors or auditors may put to you regarding your privacy posture.
- Flexible scope – A PIA can also have a flexible scope, ranging from the whole IT footprint to just a specific (or new) program, process, or system.
What is the purpose of a privacy impact assessment?
A properly executed PIA tells you what PII you have, where it is stored, where and how it is transmitted, which applications process it, and what roles or individuals can access it—all prerequisite information for implementing privacy controls. Even if you don’t need to comply with the GDPR or a similar regulation today, a PIA helps any business in any industry regardless of geographic exposure to know where they stand and prepare for whatever privacy guidelines the future may bring.
In a comparatively short time (and reasonable cost) you can have a comprehensive PIA report in-hand, and then decide where to go from there. This can save you time and money and put you a step ahead in the long run because any company that stores or processes PII will need this information.
For advice and guidance on conducting a PIA or DPIA, contact Pivot Point Security to get in touch with one of our privacy experts.