What is a Privacy Impact Assessment?
A Privacy Impact Assessment, conducted as an internal-audit, is a means of gaining clarity over, and establishing a typology on, the purpose and practicality of stored, and handled, Personal Identifiable Information (PII). Conducting a PIA enables you to establish the functionality of any stored personal data, consider whether the data is still required, and if so, what the data is to be used for in the future. In addition, a well-performed PIA is able to determine what risks your organisation faces from cyber criminals who may attempt to misuse, corrupt, or compromise the personal data your company stores.
The data security compliance approach, implemented through the performance of a PIA, is based on the two central pillars of security:
- Fundamental rights and principles, enshrined in our legal framework, which must be respected, regardless of associative risk. As proprietors of digital services, we should all be aware of these fundamental rights and know for certain, where the red lines exist.
- Management of your data and an assessment of privacy risks. These assessments determine the appropriate controls your organisation needs to take, in order to protect personal data. Controls include any process or policy, practice or device that can be deployed to reduce and modify risk.
There is no statutory requirement to complete a PIA, however there is a requirement to demonstrate and ensure compliance with applicable legal, regulatory, and statutory requirements around privacy.
Do you need to perform a PIA?
The PIA should be one of the first documents created, when embarking on projects that will be using PII.
Examples of projects where a PIA is suitable would include:
- A new IT system for storing and accessing personal data.
- A data sharing initiative, where two or more organisations seek to pool or link sets of PII.
Once PII is identified by your PIA audit, you may then look at how that data is going to be used, stored, retained, protected.
How to make an assessment
So, you have arrived at an all too familiar juncture. You’ve realised the need to perform a duty, to protect your business, and your customers. You realise the need to perform a PIA. But, how to go about it?
Steps to take:
In Excel, make a list in sequential columns: A B C D, and so on.
Column A: list all categories of personal identifiable information: names, addresses, dates of birth, contact numbers, email addresses, marital status, financial status, anything personal that is being stored.
Column B: identify the source of that data. Imbed that source into this column.
Column C: state who has access to that data, and the process for gaining access.
Column D: provide details as to whether there is an audit trail showing each time the data is accessed and by whom.
Column E: state the format of the data and how it is stored, e.g. paper, electronic.
Column F: determine who is responsible for the data at this point.
Column G: input a list of any parties that information may be shared with, such as third-party suppliers and contractors, landlords, solicitors, courts, land registry, parties involved in legal transactions, retail, banking financial institutions, medical, etc.
Column H: state how that data is moved from A to B – if electronic, state if it is over a secure route.
Column I: identify how long the data will be kept.
Column J: set out the potential risk areas for data compromise. Consider spaces where data may be accidentally shared between colleagues, where employees may have unnecessary access to data, or vulnerability to ransomware attack, for instance.
So, now that’s done, it’s time to calculate some risk.
Calculating and Capturing Risk
As described earlier, adherence to the fundamental rights and principles of data protection is absolute. Adherence to protocol must be considered a most salient exercise. Application of a data protection strategy is the best way to ensure you meet the minimum operational requirements; calculating and capturing risk is a key part of this strategy. Through risk capture, we ensure data remains confidential, we ensure integrity is maintained, and crucially, we can guarantee the operability of your business and that of third parties.
Once you have performed your PIA, you may have established vectors of risk and exploitation that could be exploited by cyber criminals. You must act swiftly to counteract the threat. Deploying trusted risk management protocol can help.
- Avoid risk
- Reduce or mitigate risk
- Transfer risk
- Accept risk
Once you have enforced control, then the risk can be closed.. Be sure to mark accordingly in Excel, as to avoid confusion in the future. If there is a subsequent issue following implementation of the control, then there is a new risk raised against that control (mark accordingly).
It is vitally important to remember that an internal audit of your managed systems and protocols ensures good governance of your organisation. By applying a PIA to your company, you may uncover dangerous attack vectors threatening your business; you may discover that your employees are not yet skilled enough to defend against cyber threats, and; you may find that it’s high-time to discuss cyber security defence with a professional consultancy, such as CyberCX.