From PIA to DPIA: Why and How to Conduct a Privacy Risk Assessment

Batja Huisman
Batja Huisman
Aug 15, 2022
min read
From PIA to DPIA: Why and How to Conduct a Privacy Risk Assessment

According to Gartner, by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations. In addition to this worldwide legal motion of privacy regulations, consumers themselves are also becoming more privacy-savvy and demanding that businesses protect their personal information. A privacy risk assessment can help companies to answer these two complementing requirements. Let’s dive into the details of what a privacy risk assessment is, why it can benefit businesses, and how to conduct one.

What is a Privacy Risk Assessment?

A privacy risk assessment is a risk management framework for determining the risk of holding and maintaining PII (Personal Identifiable Information). Organizations can make informed decisions to prevent privacy-related mistakes by conducting privacy risk assessments. This ensures businesses comply with privacy regulations and can accommodate data privacy requests from consumers and authorities. As a result, companies that conduct privacy risk assessments are more likely to avoid legal and business implications of non-compliance and to build a long-term, trustworthy relationship with their customers.

Privacy risk assessments are often referred to as PIAs (Privacy Impact Assessments) or DPIA (Data Protection Impact Assessments). What does each of these privacy risk assessment types mean?

What are PIAs (Privacy Impact Assessments)?

PIAs are risk assessments that analyze an organization’s existing privacy controls. By monitoring the organizational processes, systems, applications, and products, a PIA determines to which extent PII is managed and secured and the extent of the business’s privacy risks when collecting, maintaining, and circulating PII.

This internal audit enables organizations to take action and resolve any blind spots by implementing actionable steps, for example, by adding privacy policies, enabling consumer opt-out, enforcing data encryption, etc. 

Businesses often run PIAs when they implement a new business initiative. Initiatives might range from a project as small as a new product launch to as large as an M&A.

What are DPIAs (Data Protection Impact Assessments)?

DPIAs are also risk assessments. However, unlike PIAs, they are connected to the GDPR. Article 35 of the GDPR requires businesses to develop and run DPIAs for high-risk data process activities.

This includes the following use cases:

  • Profiling and other types of evaluations of personal identifiable aspects
  • Large-scale processing of personal information and personal identifiable information
  • Data collection and processing that takes place in an automated manner
  • Surveillance of public areas at a large scale

DPIAs are expected to include:

  1. A methodical description of data processing activities and their purpose.
  2. An analysis of the legal reasoning behind data collection activities.
  3. An evaluation of the risk these data collection activities have on individuals.
  4. A presentation of the measures the business needs to take to mitigate these risks and ensure compliance with the GDPR.

The DPIA framework helps organizations comply with the GDPR and prevent the costly legal and business implications of violating this regulation. 

Why Businesses Need a Privacy Risk Assessment

Privacy risk assessments enable businesses to adhere to modern privacy requirements. These could be either compliance requirements by governmental organizations, consumer requirements demanding businesses to protect their data, or requirements of internal business stakeholders who are aware of the importance of privacy. Let’s break down each one of these requirements:

  • Compliance Regulations - New regulations are sprouting around the world. Legally binding requirements like the GDPR, CCPA, PIPEDA, CPA, and others all require varying extents of personal information management, maintenance, and control. By conducting a privacy risk assessment, businesses can identify compliance gaps, evaluate gaps and their risks and treat them - before suffering from the legal and financial implications of non-compliance.
  • Consumer Requirements - Individuals today are much more privacy-savvy than they were in the past. They know the exposure of their personal information could result in discrimination, personal embarrassment, financial losses, and even physical harm. As a result, they expect businesses to safeguard their personal data. A privacy risk assessment can help companies to build a long-term relationship with consumers based on trust.
  • Internal Security Requirements - The threat of a privacy data breach looms over businesses, mainly because it’s hard to anticipate the blast radius. A breach could occur due to a “silly” security overlook like a password (see: SolarWinds) or an innocent leak by an employee but still have a devastating publicized impact. With a privacy risk assessment, the business takes active steps to reduce this risk by identifying security and compliance threats, so it can take action to remediate them.

A privacy risk assessment is an opportunity for businesses - to do the right thing for both their customers and to protect their business - and reposition themselves as a privacy-first entity.

Benefits of a Privacy Risk Assessment

A privacy risk assessment might sound like a daunting and complicated process, but conducting an assessment actually has multiple benefits for businesses, including:

Being Prepared - for Anything

Privacy risk assessments are strategic initiatives that enable the business to plan privacy activities and prepare for compliance audits and consumer requests so they can prevent any unpleasant surprises. By running them, the company can ensure they are always ready, no matter which privacy curve ball comes their way. In other words, a privacy risk assessment can help avoid unnecessary stress.

Making Informed Decisions

A privacy risk assessment starts with identifying any privacy gaps in how the business collects, manages, and secures private information like credit card numbers, contact details, credentials, addresses, etc. Then, the assessment evaluates the risk of these gaps and information being leaked.

This data-driven and methodical approach enables businesses to make informed and cost-effective decisions regarding how to deal with privacy holes and blind spots. The decisions can be backed up and proven to show the benefit for the business. For example, by comparing the potential damage, a breach could have or by showing the time saved compared to the required process if a violated compliance regulation is found by the government.

Signaling to Consumers and Employees

Businesses today are subject to lots of pressure. Intense competition, geo-political tectonic shifts, the Great Resignation, and technological changes are just some of the changes keeping business owners up at night. Throughout this turmoil, it is important to maintain a stable and reliable relationship with consumers and with employees, and ensuring their privacy is an important way to do so.

Businesses that take action to safeguard consumer and employee personal data signal to them that they are their number one priority. While not every company can afford to run widespread campaigns touting their privacy-first actions, as Apple did, even a pop-up update on the website, an email or text message, or a social media update can do the trick. This will have a beneficial, long-lasting effect.

Preparing for Compliance Audits

Compliance requirements are strict and mandatory and cannot be treated lightly. A privacy risk assessment ensures no privacy requirements will fall through the cracks. It provides a comprehensive overview of all processes that need to be fixed and gives the business the chance to treat them before they become a legal liability. In addition, a privacy risk assessment provides the company with evidence that it took the required steps on the way to compliance to showcase to the authorities.

How to Conduct a Privacy Risk Assessment

Despite the importance and value of privacy risk assessments, there is no checklist or single step-by-step process to take when conducting one. There are, however, multiple tools in use by the industry. The main ones are:

Data Mapping

Data mapping is the process of reviewing, matching, and correlating data fields to create a unified, transparent, and comprehensive overview of where and how data is stored and used in the organization and how it flows within the organization's systems.

 A data map can include information about the number of data sources, their type, the types of data they contain, data accuracy, data quality, data structure, who has access to the data source, and more.

With data mapping, businesses can ensure their data is consistent and of high quality across all sources. This information enables them to identify potential privacy and compliance risks. Once gaps are identified, the remediation process can be streamlined. This helps organizations minimize privacy risks, fulfill regulatory requirements and take control over their data.

You can also use a data mapping tool that evaluates your third-party vendors to add an extra layer to your assessment easily.

Generating an Automated RoPA

A Record of Processing Activities (RoPA) is a record of the privacy procedures and maintenance of these procedures within the organization. A RoPA reveals up to 100% of data sources and presents them in an easy-to-understand manner. An automated RoPA tool will use data mapping to map data flows related to collecting, storing, processing, retaining, and deleting PII. Then, the tool will automatically generate the RoPA report and ensure it is kept updated. With the RoPA, businesses can gain insights into their privacy activities, identify gaps and mitigate them, and be ready for any audit.

Manual Assessments

A more traditional way of conducting a privacy risk assessment is through the manual collection of data. This includes handing out questionnaires, combing over spreadsheets, and conducting analysis of the results. This process is slow, time-consuming, and inaccurate, and therefore it is not recommended.

FAIR Privacy and NIST PRAM Assessments

More advanced, albeit still manual, ways of conducting a manual assessment is by using the FAIR Privacy or the NIST PRAM frameworks.

  • Fair Privacy - Based on the FAIR (Factors Analysis in Information Risk) method, Fair Privacy provides a guiding PowerPoint and a spreadsheet for calculating risk based on the Monte Carlo simulation.
  • NIST PRAM - PRAM (Privacy Risk Assessment Methodology) is a series of worksheets designed by NIST to help businesses “analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions.”

More details on both frameworks here.

External Assessments

An external assessment conducted by a consulting company can take away the heavy lifting of the privacy risk assessment from the business. The vendor will come in, assess all privacy mechanisms and provide recommendations of the next steps for the business to take.

When conducting an external assessment, it’s important to evaluate the ROI. This includes the costs of the process, as well as the long-term impact that comes from exposing sensitive data to an external vendor. In addition, it’s recommended to understand the data mapping process the vendor will conduct. Will they run a manual, error-prone process or introduce automated tools and techniques? What happens to your data after the vendor leaves the premises? How often is the assessment updated? And more. 

Next Steps for Businesses

Privacy risk assessments provide early warning for businesses about privacy gaps and their impact, so they can make informed decisions and prevent costly and embarrassing mistakes. To get started we recommend choosing an effective solution that removes the heavy lifting from you and provides an efficient and accurate result that you can quickly and easily act on.

Automated data mapping and RoPA report generation provides businesses with an effective and privacy-aware solution that provides insights into their data collection and management. These insights can then be easily translated into actionable steps that bridge any privacy gaps, enabling businesses to comply with regulations, respond to consumer requests and meet internal security requirements. In addition, an automated solution provides businesses with control over the assessment process and their data.