Privacy Assessment Overview
Conducting a privacy assessment is a proven practice for ensuring the continuous alignment of policy and practice. The assessment process is designed to uncover alignment gaps, allowing them to be addressed to mitigate potential risk. The process seems simple, but Privacy is complex. Depending on where you do business there are a wide variety of laws, regulations, and policies that can trigger the need for a privacy assessment. Moreover, the privacy landscape is continually changing, and your business is not standing still. As internal and external changes occur, further assessments may be needed.
While the privacy assessment may be a unifying concept, in practice no two companies are alike. The frequency, length, and organizational reach can vary greatly. Similarly, on-hand resources in both people and tools can impact a company’s ability to conduct an assessment. TRUSTe recently sponsored an independent, third-party benchmarking study to gain insight into common assessment practices.
In a blind survey of over 200 respondents who are actively involved in privacy assessments, key findings include:
- Conducting Privacy Assessments is top priority for many companies
- Privacy Maturity key driver of volume (Very Mature = 2x Average)
- Assessments take a long time – 28 days, 175 hours on average
- Managing respondents and analysis are top drivers to length
- Assessments are labor intensive – 56 employees company-wide
- Budget and team’s time top inhibitors to doing more assessments
- Average company conducts 59 privacy impact assessments (PIAs) per year
- Internal systems, email, and spreadsheets most common tools