Privacy Assessment Overview

Conducting a privacy assessment is a proven practice for ensuring the continuous alignment of policy and practice. What’s more, Privacy Impact Assessments (PIAs) are a requirement for companies subject to the EU General Data Protection Regulation (EU GDPR). The assessment process uncovers alignment gaps and allows them to be addressed to mitigate potential risk.

Depending on where you do business there are a wide variety of laws, regulations, and policies that can trigger the need for a privacy assessment. Moreover, the privacy landscape is continually changing, and your business is not standing still. As internal and external changes occur, further assessments may be needed.

While the EU GDPR may require to conduct privacy assessments, how they are conducted is not consistent because no two companies are alike. The frequency, length, and organizational reach can vary greatly. Similarly, on-hand resources in both people and tools can impact a company’s ability to conduct an assessment. TRUSTe recently sponsored an independent, third-party benchmarking study to gain insight into common assessment practices.

In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:

  • assessment Conducting Privacy Assessments is top priority for many companies
  • volume Privacy Maturity key driver of volume (Very Mature = 2x Average)
  • calender Assessments take a long time – 28 days, 175 hours on average
  • chartsManaging respondents and analysis are top drivers to length
  • employeesAssessments are labor intensive – 56 employees company-wide
  • mpneyBudget and team’s time top inhibitors to doing more assessments
  • paper stackAverage company conducts 59 privacy impact assessments (PIAs) per year
  • ITInternal systems, email, and spreadsheets most common tools

Common Reasons to Conduct Privacy Assessments:

  • EU GDPR
  • HR Data Transfer risk
  • Vendor Data risk
  • Kids Privacy risk
  • M&A analysis
  • New Product Launch
  • Incident Response Planning

Assessment Tips

Whether you are developing a privacy assessment process or want to improve the efficiency of your current process in anticipation of the EU GDPR, there are some best practices that you should consider.

Based on the UK ICO’s recommendations for privacy impact assessments, there are six steps that apply to many types of privacy assessments. Remember that an assessment is a process and having a well-planned and repeatable methodology is the key to efficient execution. The more you can refine your process, the better it will work for you if called upon to produce regulatory compliance.

Conducting the Assessment:

Identify the need for an assessment with a Privacy Threshold Analysis (PTA)

Although this may seem self-evident, it is a useful step. If there is no substantial privacy impact to a given activity, there may be no need to conduct a deeper dive. Therefore, when reviewing assets within a particular business unit (e.g., business process, application or website), it is helpful to conduct an initial Privacy Threshold Analysis (PTA) for each asset. The answers to the PTA questions will determine which assets collect or use personal data in a way that requires further analysis in an assessment and they also determine which are out of scope for further review.

Describe the information flows (Data Mapping)

It is important to understand how personal data moves through a particular business process or system. Many organizations have already documented network maps and system diagrams. Similarly, to support an assessment, data mapping focuses on the ways in which data flows into, through and out of a particular business process or system.

Identify and assess privacy-related risks

Having identified the activity and the nature of the personal data involved, the next step is to identify risks, which may arise in a number of ways. Establishing open channels of communication with all stakeholder groups ultimately leads to a more efficient process.

Identify and evaluate solutions (remediation)

When gaps are found, the privacy team then assists the business owners in putting together a remediation plan. This includes a prioritization of outstanding privacy risks that need addressing, identification of which policy, procedure, process or feature changes should be implemented.

Sign-off and record assessment outcomes

Compliant businesses document all aspects of the assessment extensively, except for areas ordinarily free of the burden of documentation, such as information shared under a non-disclosure agreement (NDA) or communication subject to attorney-client privilege. Have your company’s Data Privacy Officer (DPO) determine what information needs to be recorded to satisfy the PIA / DPIA requirements of the GDPR and other applicable regulations.

Integrate the outcomes back into the plan of record

The final step of the assessment process is to fill the identified gaps. Additional documentation is helpful to clarify the steps required to remediate and the individuals within the company who will oversee each remediation effort. This is also the opportunity to document lessons learned from the assessment process for use in the next one. Showing closed gaps can be a good external demonstration of your compliance efforts, so be sure to properly record and retain the level of detail you may need to produce for a local Data Protection Authority (DPA).

A Guide for Structuring and Implementing PIAs

Assessment Automation

While conducting assessments is a recognized practice there are a variety of approaches to conducting them. As companies define and implement their own corporate processes they quickly realize that gaps in people, budgets, and privacy expertise present difficult challenges.

Moreover, accepting an assessment methodology without defining how to execute it can leave a team scrambling to patch together the best possible solution with the tools on hand, such as email and spreadsheets.

Although these tools share enterprise-wide ubiquity, they can be extremely inefficient. An assessment survey can take a long time to create. The various documents collected for each assessment can present organizational headaches. Tasks such as data aggregation, collection, documentation, and analysis require inefficient repetition and can increase the chance of manual error. And having highly skilled employees doing clerical work is not only an inefficient use of time; it can be a significant misuse of talent. Finally, if your goal is to provide a DPA proof of a PIA for GDPR compliance, email and spreadsheets may not be well-received.

One of the biggest drags on efficiency is that such surveys simply take too long to conduct, potentially exposing a company to more risk and possibly keeping the privacy team from working on other important initiatives, such as audits, analysis, and training.

Those who manage the budget for privacy know that outsourcing can be expensive and in-house solutions may lack scale. Inspired by the governance, risk, and compliance (GRC) systems used by IT teams for enterprise risk management, leading privacy teams have recently begun to look at automated solutions that can increase their efficiency and can add scale at an affordable cost.

The value of automating the PIA process can extend far beyond time savings. Reducing the time needed to conduct a PIA and carefully defining the scope of what is assessed may play a key role in reducing reputational risk. Automation can free you to conduct a wider variety of assessments and to do them more often. Mitigating the risk of paying fines and penalties is another potential byproduct of automation. Reducing the time needed to review M&A, new vendor relationships, or new product launches may contribute to the return on automation investment in terms beyond this evaluation. Consider the value of quickly producing reports to demonstrate PIA compliance as required by the EU GDPR.

Finally, a streamlined, pain-free assessment solution could help drive greater privacy awareness across the enterprise. These potential benefits are more difficult to quantify, and they should be considered additive in the automation investment analysis. Nevertheless, you’ll first want to see a positive ROI in terms of the time saved for your team or budget saved from outsourcing.

Calculate the potential savings for these activities over the course of a year and if the return is positive, consider automating your assessments.

The ROI for Privacy Assessment Automation

Calculate Your Assessment Automation ROI

Decide if investing in assessment automation make sense for you by taking in account of the wide variety of activities can take place during the course of an assessment. Are they repeatable and are they the best use of your time? Can you quickly produce a report, as required by the EU GDPR?

Take few moments and estimate the internal cost for each step of an assessment. Then estimate the potential time-savings automation can provide. Comparing the potential savings to your automation budget will help determine what solution is right for you.

How TRUSTe Can Help

TRUSTe can help you streamline the end-to-end assessment process guiding you trough each step, and following the same assessment methodology used by TRUSTe consultants and analysts. Our tools and expertise can help you be ready for the PIA requirements of the EU GDPR.

Assessment Manager

Assessment Manager was developed from the ground up as an automated solution for privacy assessments. Automating assessment you can save time and product greater efficiency wherever you are in your PIA process.

Assessments Consulting

TRUSTe consultants can deliver a comprehensive review of your customer or employee data collection and usage practices against applicable frameworks, including the EU GDPR. Each consulting assessment is powered by our privacy professionals and state-of-the-art Data Privacy Management (DPM) Platform. We can help you if you do not have a PIA process in place.