Privacy Assessment Overview
Conducting a privacy assessment is a proven practice for ensuring the continuous alignment of policy and practice. What’s more, Privacy Impact Assessments (PIAs) are a requirement for companies subject to the EU General Data Protection Regulation (EU GDPR). The assessment process uncovers alignment gaps and allows them to be addressed to mitigate potential risk.
Depending on where you do business there are a wide variety of laws, regulations, and policies that can trigger the need for a privacy assessment. Moreover, the privacy landscape is continually changing, and your business is not standing still. As internal and external changes occur, further assessments may be needed.
While the EU GDPR may require to conduct privacy assessments, how they are conducted is not consistent because no two companies are alike. The frequency, length, and organizational reach can vary greatly. Similarly, on-hand resources in both people and tools can impact a company’s ability to conduct an assessment. TRUSTe recently sponsored an independent, third-party benchmarking study to gain insight into common assessment practices.
In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:
Conducting Privacy Assessments is top priority for many companies
Privacy Maturity key driver of volume (Very Mature = 2x Average)
Assessments take a long time – 28 days, 175 hours on average
Managing respondents and analysis are top drivers to length
Assessments are labor intensive – 56 employees company-wide
Budget and team’s time top inhibitors to doing more assessments
Average company conducts 59 privacy impact assessments (PIAs) per year
Internal systems, email, and spreadsheets most common tools