Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared, and maintained within the company. The purpose of a PIA is to demonstrate how privacy protections have been consciously incorporated at the system level and across the company throughout the information life cycle. The Privacy Impact Assessment captures potential risks or vulnerabilities and the likelihood of these vulnerabilities to occur on a system. The Privacy Risk Register is maintained as part of the PIA process.
The assessment will be based on the privacy impact drivers for each system or process. The DataMap will capture and track the risks identified for each system.
Maintaining a Privacy Risk Register and evaluating overall privacy maturity are necessary components to measure and manage the privacy and data-ethics within the organization.
Privacy Risk Impact
Privacy Risk Impact Drivers are the attributes of a system that contribute to the privacy risk in a system. These include the volume of personal information on a system, retention periods, access, storage method and controls. Privacy Risk Impact Drivers will be tracked in the DataMap. An overall Privacy Risk Impact will be calculated for the system based on the Privacy Risk Impact Drivers for the system.
Privacy Risk Register
The Privacy Risk Register will provide an overview of all risk across all systems. The Privacy Risk Register is maintained in the DataMap. A typical risk register might contain the following and can be customized to an organization’s needs:
1. Potential Risks: The potential risk or vulnerabilities that the organization can be exposed.
2. Risk Likelihood: The potential likelihood of risks to materialize.
3. Risk Severity: The highest level of damage possible when a vulnerability or a risk happens.
4. Risk Impact Score: Overall score for each risk. This will be based on the severity and likelihood.
5. Type of Impact: Potential types of impact to the organization if risk materializes. This can include Loss of Trust with customers, Economic Loss, Reputational Loss, Civil liabilities, Regulatory action etc
6. Controls Implemented: Actions and Privacy Controls that lessen the probability and/or negative consequences associated with a risk.
7. Risk Owner: The person responsible for accepting, managing or mitigating the risk within the company.
8. Risk Priority: Each risk is classified into different Risk Priority levels based on the risk impact score and type of impact. Four commonly used Risk Priority levels are
• Avoid/Reduce: Risks to be absolutely avoided or significantly reduced by implementing controls that reduce both their impact and likelihood
• Revisit: Moderate risks that are of lesser priority and the organization chooses to devote less resources to addressing them currently.
• Accept: Risks that are accepted without further control implementation, especially if the treatment of other security or privacy risks also reduce this risk.
• Transfer: Risks for which responsibility can be transferred to another party that can accept and better address the risk and/or has the resources necessary to properly mitigate the risk