Data privacy impact assessment: The what, how, and why

If you can’t remember the last time you completed a data privacy impact assessment, you’re probably well overdue – especially if you’re sitting on access to sensitive information. The longer you put this process off, the more severe the consequences can become. Whether you store medical records, email addresses, or account numbers, you need to prioritize this structured process. There are even data privacy impact assessment templates to help you jump start the process. 

While exact steps will differ based on your organization's needs, information system, and capabilities, the result will remain the same. When you complete a data privacy impact assessment, you can enjoy the peace of mind that comes with security and compliance. Here's what you need to know to prevent a potentially devastating domino effect. 

Data security risk definition

Data security risk definition: Data security risks encompass practically anything threatening data integrity, confidentiality, or availability.

While cybersecurity threats like hackers tend to be top of mind, human errors and natural disasters are also data security risk sources. Once data is breached, the consequences can be difficult to contain — both for consumers and businesses. 

High-risk data examples include:

• Credit card or financial account numbers
• Healthy information, including protected health information and health insurance policy ID numbers
• Social Security numbers
• Passport numbers
• Donor contact info

To help prevent compromised data, data security examples include:

• Encryption 
• Data backup and recovery measures
• Hardware-based security 
• Firewalls 
• Authentication 
• Access controls

Privacy impact assessment

A privacy impact assessment (PIA) is a risk management process that helps you meet applicable legal, regulatory, and policy requirements regarding privacy. Government agencies and businesses use this process to show their commitment to the privacy of others. For example, Homeland Security leverages this process to identify and mitigate privacy risks, notifying the public when DHS collects Personally Identifiable Information, focusing on what data is collected, why, and how. 

When is a privacy impact assessment required?

1. When developing new systems or technologies that collect or store personal data — or modifying existing ones.
2. When initiating a new electronic collection of information for ten or more people, as outlined in the Paperwork Reduction Act (PRA).
3. When issuing new or updated regulations that impact personal information.
4. When categorizing system security controls as high-major or moderate-major.

Data breaches in 2022 show how rampant this issue is becoming. Taking proactive steps can keep you and your customers safe. 

Are you launching a new program or service? If so, accessing a comprehensive data privacy impact assessment template could help check all boxes concerning user privacy. 

Templates are beneficial when seeking a privacy impact assessment tool to successfully complete this step-by-step review process. The Ketch and SafeGuard partnership is a great place to start, offering Programmatic Privacy™ and program management solutions. SafeGuard Privacy's expert legal privacy team developed these templates, making it easier to take complete control of privacy programs.

Privacy impact assessment checklist

Have you completed a PIA for procedures that involve sensitive information? If not, remain mindful of the following:

• Determine the need. Are you developing, improving, and releasing a new product or service? If so, which regulatory frameworks do you need to consider?
• Plan based on the scope of the PIA, focusing on the budget, timeline, etc. 
• Determine who else needs to be involved. Stakeholders? HR? IT teams? Cybersecurity platforms?
• Know what type of data you will collect and how you will use it to get your ducks in a row concerning the next steps. 
• Pinpoint potential privacy risks and run compliance checks. 
• Identify strategies to reduce risk by partnering with key players. 
• Address those risks and monitor the process to make any necessary adjustments. 

Data protection impact assessment 

A data protection impact assessment (DPIA) is similar in that it's a process that identifies risks created when processing personal data. The ultimate goal is to identify and minimize data protection risks, particularly when data management involves a high risk to other people's personal information. 

Under Article 35 GDPR, you must conduct a DPIA whenever you begin a new project that involves a high risk to someone else's personal information. Europe has been ahead of the crowd concerning data privacy laws for years. However, the rest of the world is catching up, with new laws and regulations introduced each year. After introducing the EU GDPR (General Data Protection Regulation), many industries had to make significant changes. 

One of the requirements is the completion of DPIAs. Since then, certain states have begun passing data privacy laws that will also require DPIAs. Examples include the California Privacy Rights Act (CPRA) and the Colorado Privacy Act (CPA).

The key is to remember DPIAs should never be an afterthought. By completing this process, you can reveal risks before breaches arise. 

Here are some data protection risk examples that would require a DPIA:

• A business is implementing cameras to monitor clients, passengers, etc. 
• An HR department plans to update its system to process employee records.
• An online financial application collects personal information to verify the identity of users. 
• A marketing firm launches an algorithm to send personalized, triggered emails. 

In contrast, if you launched a product or service in the past and conducted a DPIA, you won't likely need a DPIA when adding new features that have nothing to do with processing personal information. 

‍