Privacy Impact Assessment

Taking the 1st Step in Your Privacy Compliance Journey – Conducting a Privacy Impact Assessment (PIA)

A privacy impact assessment (PIA’s) and data protection impact assessment are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law.

When to Perform a PIA

Having a good understanding of what a PIAs is, how to conduct one, and who needs to be involved can be the key to determining the true effect a new project will have on your organization.

Organizations should use PIAs (a) before commencing a project to identify privacy risks in the design and implementation process and assess how to mitigate those risks; (b) during a program or project’s lifecycle to evaluate changes that create new privacy risks, and (c) at the end of a project’s lifecycle to evaluate how the project’s information should be deleted or maintained after completion.

PIA Triggers

  • Collection of new information about individuals whether compelled or voluntary
  • Conversion of records from paper-based to electronic format
  • Conversion of information from anonymous to identifiable format
  • System management changes involving significant new uses and/or application of new technologies
  • Significant merging, matching or other manipulation of multiple databases containing PII
  • Application of user-authentication technology to a publicly accessible system
  • Incorporation into existing databases of PII obtained from commercial or public sources
  • Significant new inter-agency exchanges or uses of PII
  • Alteration of a business process resulting in a significant new collection, use and/or disclosure of PII
  • Alteration of the character of PII due to the addition of qualitatively new types of PII
  • Implementation of projects using third-party service providers

How We Measure Risk

A comprehensive data privacy strategy protects against the growing risks and reputational damage associated with data breaches. However, privacy has a broader range of risk categories, which we considered in our assessments.
We address Inherent Risk Level, Residual Risk Level, and Target Risk Level in all of our these assessments, with deep dives into: 

  • Privacy Policy, Forms & Disclosures
  • Program Governance
  • Records Retention
  • Service Provider / Vendor Management
  • Training and Awareness   

Contact Us Today To Schedule Your PIA!

%d bloggers like this: