Privacy Assessment Overview

Conducting a privacy assessment is a proven practice for ensuring the continuous alignment of policy and practice. The assessment process is designed to uncover alignment gaps, allowing them to be addressed to mitigate potential risk. The process seems simple, but Privacy is complex. Depending on where you do business there are a wide variety of laws, regulations, and policies that can trigger the need for a privacy assessment. Moreover, the privacy landscape is continually changing, and your business is not standing still. As internal and external changes occur, further assessments may be needed.

While the privacy assessment may be a unifying concept, in practice no two companies are alike. The frequency, length, and organizational reach can vary greatly. Similarly, on-hand resources in both people and tools can impact a company’s ability to conduct an assessment. TRUSTe recently sponsored an independent, third-party benchmarking study to gain insight into common assessment practices.

In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:

  • assessment Conducting Privacy Assessments is top priority for many companies
  • volume Privacy Maturity key driver of volume (Very Mature = 2x Average)
  • calender Assessments take a long time – 28 days, 175 hours on average
  • chartsManaging respondents and analysis are top drivers to length
  • employeesAssessments are labor intensive – 56 employees company-wide
  • mpneyBudget and team’s time top inhibitors to doing more assessments
  • paper stackAverage company conducts 59 privacy impact assessments (PIAs) per year
  • ITInternal systems, email, and spreadsheets most common tools

Commons Reasons to Conduct Privacy Assessments:

  • HR Data Transfer risk
  • Vendor Data risk
  • Kids Privacy risk
  • M&A analysis
  • New Product Launch
  • Incident Response Planning

Assessment Tips

Whether you are developing a privacy assessment process or want to improve the efficiency of a current process, there are some best practices that you should consider. Based on the UK ICO’s recommendations for privacy impact assessments, there are six steps that apply to many types of privacy assessments. Remember that an assessment is a process and having a well-planned and repeatable methodology is the key to efficient execution. The more you can refine your process, the better it will work for you.

Conducting the Assessment:

Identify the need for an assessment with a Privacy Threshold Analysis (PTA)

Although this may seem self-evident, it is a useful step. If there is no substantial privacy impact to a given activity, there may be no need to conduct a deeper dive. Therefore, when reviewing assets within a particular business unit (e.g., business process, application or website), it is helpful to conduct an initial Privacy Threshold Analysis (PTA) for each asset. The answers to the PTA questions will determine which assets collect or use personal data in a way that requires further analysis in an assessment and they also determine which are out of scope for further review.

Describe the information flows (Data Mapping)

It is important to understand how personal data moves through a particular business process or system. Many organizations have already documented network maps and system diagrams. Similarly, to support an assessment, data mapping focuses on the ways in which data flows into, through and out of a particular business process or system.

Identify and assess privacy-related risks

Having identified the activity and the nature of the personal data involved, the next step is to identify risks, which may arise in a number of ways. Establishing open channels of communication with all stakeholder groups ultimately leads to a more efficient process.

Identify and evaluate solutions (remediation)

When gaps are found, the privacy team then assists the business owners in putting together a remediation plan. This includes a prioritization of outstanding privacy risks that need addressing, identification of which policy, procedure, process or feature changes should be implemented.

Sign-off and record assessment outcomes

Compliant businesses document all aspects of the assessment extensively, except for areas ordinarily free of the burden of documentation, such as information shared under a non-disclosure agreement (NDA) or communication subject to attorney-client privilege.

Integrate the outcomes back into the plan of record

The final step of the assessment process is to fill the identified gaps. Additional documentation is helpful to clarify the steps required to remediate and the individuals within the company who will oversee each remediation effort. This is also the opportunity to document lessons learned from the assessment process for use in the next one.

A Guide for Structuring and Implementing PIAs

Assessment Automation

While conducting assessments is a recognized practice there are a variety of approaches to conducting them. As companies define and implement their own corporate processes they quickly realize that gaps in people, budgets, and privacy expertise present difficult challenges.

Moreover, accepting an assessment methodology without defining how to execute it can leave a team scrambling to patch together the best possible solution with the tools on hand, such as email and spreadsheets.

Although these tools share enterprise-wide ubiquity, they can be extremely inefficient. An assessment survey can take a long time to create. The various documents collected for each assessment can present organizational headaches. Tasks such as data aggregation, collection, documentation, and analysis require inefficient repetition and can increase the chance of manual error. And having highly skilled employees doing clerical work is not only an inefficient use of time; it can be a significant misuse of talent.

One of the biggest drags on efficiency is that such surveys simply take too long to conduct, potentially exposing a company to more risk and possibly keeping the privacy team from working on other important initiatives, such as audits, analysis, and training.

Those who manage the budget for privacy know that outsourcing can be expensive and in-house solutions may lack scale. Inspired by the governance, risk, and compliance (GRC) systems used by IT teams for enterprise risk management, leading privacy teams have recently begun to look at automated solutions that can increase their efficiency and can add scale at an affordable cost.

The value of automating the PIA process can extend far beyond time savings. Reducing the time needed to conduct a PIA and carefully defining the scope of what is assessed may play a key role in reducing reputational risk. Automation can free you to conduct a wider variety of assessments and to do them more often. Mitigating the risk of paying fines and penalties is another potential byproduct of automation. Reducing the time needed to review M&A, new vendor relationships, or new product launches may contribute to the return on automation investment in terms beyond this evaluation.

Finally, a streamlined, pain-free assessment solution could help drive greater privacy awareness across the enterprise. These potential benefits are more difficult to quantify, and they should be considered additive in the automation investment analysis. Nevertheless, you’ll first want to see a positive ROI in terms of the time saved for your team or budget saved from outsourcing.

Calculate the potential savings for these activities over the course of a year and if the return is positive, consider automating your assessments.

The ROI for Privacy Assessment Automation

Calculate Your Assessment Automation ROI

Does investing in assessment automation make sense for you? Take account of the wide variety of activities can take place during the course of an assessment. Are they repeatable? Are they the best use of your time? Perhaps they are getting in the way of other high-value activities you want to be doing.

Take few moments and estimate the internal cost for each step of an assessment. Then estimate the potential time-savings automation can provide. Comparing the potential savings to your automation budget will help determine what solution is right for you.

How TRUSTe Can Help

TRUSTe can help you streamline the end-to-end assessment process guiding you trough each step, and following the same assessment methodology used by TRUSTe consultants and analysts.

Assessment Manager

Assessment Manager was developed from the ground up as a highly automated solution for privacy assessments. By automating each privacy assessment you can save time and allow your team to do more.

Assessments Consulting

TRUSTe consultants can deliver a comprehensive review of your customer or employee data collection and usage practices against applicable frameworks. Each consulting assessment is powered by our privacy professionals and state-of-the-art Data Privacy Management (DPM) Platform.