Privacy Assessment Overview

Conducting a privacy assessment is a proven practice for ensuring the continuous alignment of policy and practice. What’s more, Privacy Impact Assessments (PIAs) are a requirement for companies subject to the EU General Data Protection Regulation (EU GDPR). The assessment process uncovers alignment gaps and allows them to be addressed to mitigate potential risk.

Depending on where you do business there are a wide variety of laws, regulations, and policies that can trigger the need for a privacy assessment. Moreover, the privacy landscape is continually changing, and your business is not standing still. As internal and external changes occur, further assessments may be needed.

While the EU GDPR may require to conduct privacy assessments, how they are conducted is not consistent because no two companies are alike. The frequency, length, and organizational reach can vary greatly. Similarly, on-hand resources in both people and tools can impact a company’s ability to conduct an assessment. TRUSTe recently sponsored an independent, third-party benchmarking study to gain insight into common assessment practices.

In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:

Conducting Privacy Assessments is top priority for many companies
Privacy Maturity key driver of volume (Very Mature = 2x Average)
Assessments take a long time – 28 days, 175 hours on average
Managing respondents and analysis are top drivers to length
Assessments are labor intensive – 56 employees company-wide
Budget and team’s time top inhibitors to doing more assessments
Average company conducts 59 privacy impact assessments (PIAs) per year
Internal systems, email, and spreadsheets most common tools

Common Reasons to Conduct Privacy Assessments:

EU GDPR
HR Data Transfer risk
Vendor Data risk
Kids Privacy risk
M&A analysis
New Product Launch
Incident Response Planning

Assessment Tips

Whether you are developing a privacy assessment process or want to improve the efficiency of your current process in anticipation of the EU GDPR, there are some best practices that you should consider.

Based on the UK ICO’s recommendations for privacy impact assessments, there are six steps that apply to many types of privacy assessments. Remember that an assessment is a process and having a well-planned and repeatable methodology is the key to efficient execution. The more you can refine your process, the better it will work for you if called upon to produce regulatory compliance.

Conducting the Assessment:

Identify the need for an assessment with a Privacy Threshold Analysis (PTA)

Although this may seem self-evident, it is a useful step. If there is no substantial privacy impact to a given activity, there may be no need to conduct a deeper dive. Therefore, when reviewing assets within a particular business unit (e.g., business process, application or website), it is helpful to conduct an initial Privacy Threshold Analysis (PTA) for each asset. The answers to the PTA questions will determine which assets collect or use personal data in a way that requires further analysis in an assessment and they also determine which are out of scope for further review.

Describe the information flows (Data Mapping)

It is important to understand how personal data moves through a particular business process or system. Many organizations have already documented network maps and system diagrams. Similarly, to support an assessment, data mapping focuses on the ways in which data flows into, through and out of a particular business process or system.

Identify and assess privacy-related risks

Having identified the activity and the nature of the personal data involved, the next step is to identify risks, which may arise in a number of ways. Establishing open channels of communication with all stakeholder groups ultimately leads to a more efficient process.

Identify and evaluate solutions (remediation)

When gaps are found, the privacy team then assists the business owners in putting together a remediation plan. This includes a prioritization of outstanding privacy risks that need addressing, identification of which policy, procedure, process or feature changes should be implemented.

Sign-off and record assessment outcomes

Compliant businesses document all aspects of the assessment extensively, except for areas ordinarily free of the burden of documentation, such as information shared under a non-disclosure agreement (NDA) or communication subject to attorney-client privilege. Have your company’s Data Privacy Officer (DPO) determine what information needs to be recorded to satisfy the PIA / DPIA requirements of the GDPR and other applicable regulations.

Integrate the outcomes back into the plan of record

The final step of the assessment process is to fill the identified gaps. Additional documentation is helpful to clarify the steps required to remediate and the individuals within the company who will oversee each remediation effort. This is also the opportunity to document lessons learned from the assessment process for use in the next one. Showing closed gaps can be a good external demonstration of your compliance efforts, so be sure to properly record and retain the level of detail you may need to produce for a local Data Protection Authority (DPA).

Contact Us

Whether you're new to privacy or are a seasoned professional, TrustArc can help. Contact Us

Assessment Automation

While conducting assessments is a recognized practice there are a variety of approaches to conducting them. As companies define and implement their own corporate processes they quickly realize that gaps in people, budgets, and privacy expertise present difficult challenges.

Moreover, accepting an assessment methodology without defining how to execute it can leave a team scrambling to patch together the best possible solution with the tools on hand, such as email and spreadsheets.

Although these tools share enterprise-wide ubiquity, they can be extremely inefficient. An assessment survey can take a long time to create. The various documents collected for each assessment can present organizational headaches. Tasks such as data aggregation, collection, documentation, and analysis require inefficient repetition and can increase the chance of manual error. And having highly skilled employees doing clerical work is not only an inefficient use of time; it can be a significant misuse of talent. Finally, if your goal is to provide a DPA proof of a PIA for GDPR compliance, email and spreadsheets may not be well-received.

One of the biggest drags on efficiency is that such surveys simply take too long to conduct, potentially exposing a company to more risk and possibly keeping the privacy team from working on other important initiatives, such as audits, analysis, and training.

Those who manage the budget for privacy know that outsourcing can be expensive and in-house solutions may lack scale. Inspired by the governance, risk, and compliance (GRC) systems used by IT teams for enterprise risk management, leading privacy teams have recently begun to look at automated solutions that can increase their efficiency and can add scale at an affordable cost.

The value of automating the PIA process can extend far beyond time savings. Reducing the time needed to conduct a PIA and carefully defining the scope of what is assessed may play a key role in reducing reputational risk. Automation can free you to conduct a wider variety of assessments and to do them more often. Mitigating the risk of paying fines and penalties is another potential byproduct of automation. Reducing the time needed to review M&A, new vendor relationships, or new product launches may contribute to the return on automation investment in terms beyond this evaluation. Consider the value of quickly producing reports to demonstrate PIA compliance as required by the EU GDPR.

Finally, a streamlined, pain-free assessment solution could help drive greater privacy awareness across the enterprise. These potential benefits are more difficult to quantify, and they should be considered additive in the automation investment analysis. Nevertheless, you’ll first want to see a positive ROI in terms of the time saved for your team or budget saved from outsourcing.

Calculate the potential savings for these activities over the course of a year and if the return is positive, consider automating your assessments.

Contact Us

Whether you're new to privacy or are a seasoned professional, TrustArc can help. Contact Us

Calculate Your Assessment Automation ROI

Decide if investing in assessment automation make sense for you by taking in account of the wide variety of activities can take place during the course of an assessment. Are they repeatable and are they the best use of your time? Can you quickly produce a report, as required by the EU GDPR?

Take few moments and estimate the internal cost for each step of an assessment. Then estimate the potential time-savings automation can provide. Comparing the potential savings to your automation budget will help determine what solution is right for you.

11. Baseline Assumptions
22. Research and Analysis
43. Assessment Design and Setup
54. Data Collection & Project Management
75. Privacy Analysis & Risk Review
86. Remediation Planning & Tracking
107. Reporting and Approval
8. Generate Report

Preview Next

Overview
Annual Number of Assessments
Choose a baseline number of assessments per year for your ROI calculation. Our benchmarking research shows that an average (mean) enterprise does 59 assessments per year.
Consider Privacy Impact Assessments (PIAs) and all of the other business drivers for which you need to assess (HR Data Transfer Risk, Vendor Data Risk, Kids Privacy Risk, M&A Analysis, Incident Response Planning, etc.). Also include any legal or regulatory requirements you’ll want to assess (e.g. EU Privacy Shield, GDPR, COPPA, EU Cookie Directive). Finally, adjust the number of assessment to where your program needs to be to meet your privacy program needs. An assessment automation solution should help you identify and address a wider variety of risks. If you’re unsure, 2 per month may be a good assumption for your first calculation.
# of Assessments / Year
Enter Your Estimates
Time Savings
The amount of time saving from automating privacy assessments will vary by company, but our experience is 20-30% or more is common.
Automation Time Savings
Automation Investment
Once you calculate the potential savings from automation, you’ll want to compare it against the total cost of ownership.
Automation Investment
Please enter a value greater than or equal to 0.
Step 2
The first step is to determine if and where you may have compliance risk. How might your company be impacted, what business units, countries, product lines, employees, vendors or others may be involved? In larger enterprise organization it can take some time to understand the intricate details of business processes and data flows. Your Privacy Threshold Analysis will ultimately determine the scope of an assessment, if one is needed. If it is not required a best practice is to document the analysis and decision. When you need to assess, internal and external policies are analyzed to determine the specific business practices (controls) that need to be in place to be compliant.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Step 3
After determining needed controls, develop the questions that will be sent out to internal and external stakeholders as a survey to determine privacy compliance. Care should be taken to ensure that questions are presented in clear, concise business language that is easily understood by all. The entire question set should be organized to provide a logical flow and facilitate easy completion and analysis.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Step 4
Sending survey questions to all stakeholders and tracking them down until completion can be very time consuming. Answers may require additional clarification and open the door for more questions. Assessment surveys also require the responder's time and effort. While the amount of time for a simple question may be negligible, some answers may be complex and require additional evidence or documentation. Once a survey is complete, answers from responders must be compiled. Data may be in the form of open-ended email responses or notes from a personal conversation. All answers should be compiled in a single location and organized to facilitate privacy analysis.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Step 5
Assessment surveys can require extensive time to go through all of the responses and determine whether answers are compliant or not. Not all answers are black and white, so you need to gain an understanding of why something may not be compliant, what control is not properly in place, and the potential risks to determine what action may be required.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Step 6
Correcting any non-compliant issue may require time. Some risk may be acceptable and can be accepted, or may require additional executive signoff. The entire assessment may require multiple levels of approval. The time needed to remediate, record, and approve an assessment can be quick or lengthy.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Step 7
When an assessment is complete, the amount of time needed to socialize results, answer questions and gain final approvals can be lengthy.

You will also want to archive reports in a way to facilitate quick access for internal audits or demonstration of compliance to a Data Protection Authority – as required by the EU GDPR.
Hours per Assessment
Hourly Rate
Saving Per Assessment
Last Step
This report is based on the assumption that automating each step could save 75% of the time otherwise required.
Company
First Name
Last Name
Country
State
Work Email
Total Annual Savings
ROI

How TrustArc Can Help

TrustArc can help you streamline the end-to-end assessment process guiding you trough each step, and following the same assessment methodology used by TrustArc consultants and analysts. Our tools and expertise can help you be ready for the PIA requirements of the EU GDPR.

Assessment Manager

Assessment Manager was developed from the ground up as an automated solution for privacy assessments. Automating assessment you can save time and product greater efficiency wherever you are in your PIA process.

Assessments Consulting

TrustArc consultants can deliver a comprehensive review of your customer or employee data collection and usage practices against applicable frameworks, including the EU GDPR. Each consulting assessment is powered by our privacy professionals and state-of-the-art Data Privacy Management (DPM) Platform. We can help you if you do not have a PIA process in place.

Contact Us

Whether you're new to privacy or are a seasoned professional, TrustArc can help. Contact Us

Prepare for the GDPR with Privacy Impact Assessment Automation

Navigation

Privacy Assessment Overview

In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:

Common Reasons to Conduct Privacy Assessments:

Assessment Tips

Conducting the Assessment:

Identify the need for an assessment with a Privacy Threshold Analysis (PTA)

Describe the information flows (Data Mapping)

Identify and assess privacy-related risks

Identify and evaluate solutions (remediation)

Sign-off and record assessment outcomes

Integrate the outcomes back into the plan of record

Contact Us

Assessment Automation

Contact Us

Calculate Your Assessment Automation ROI

Baseline Assumptions

Annual Number of Assessments

Time Savings

Automation Investment

Research and Analysis

Assessment Design and Setup

Data Collection & Project Management

Privacy Analysis & Risk Review

Remediation Planning & Tracking

Reporting and Approval

Your Calculations

Total Annual Savings:

Return on Investment:

Time Saved Per Assessment:

Baseline Assumptions

Overview

Annual Number of Assessments

Time Savings

Automation Investment

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Last Step

How TrustArc Can Help

Assessment Manager

Assessments Consulting

Contact Us