Privacy Impact Assessment… why it is important for organizations

Privacy Impact Assessment (PIA) is a tool for measuring compliance, identifying, and minimizing privacy-related risks, and demonstrating accountability. PIAs are conducted to safeguard the rights and freedoms of individuals in developing new products and services or undertaking any other initiatives that involve the processing of personal data. The objective of PIAs is to systematically identify the risks that the planned initiative poses to privacy and personal data, as well as to examine and evaluate alternative ways for data processing to mitigate these potential risks.

A PIA enables an organization to carefully analyse how a particular project, program, process, or system will affect the privacy of the individuals (data subjects) involved. The purpose of the PIA is to ensure that identified privacy risks are minimized–eliminated where possible - while allowing the objectives of the project to be met. Risk assessments, when done properly, can lead to the early identification of risk, which can be addressed at the early stages by analysing how the proposed uses of personal information and technology will work in practice. This analysis can be performed by consulting with the stakeholders–the people who will be working on, or affected by, the project, program, process, or system. A PIA will help ensure that an organization is taking a proportionate approach or measures to the use of personal data. It requires organizations to identify why a project, program, process, or system is necessary and what it is aiming to achieve. It will then help to achieve these aims without a disproportionate impact on privacy.

A PIA is not a legal requirement by most data protection or data privacy regulations–not even the mother of data protection (GDPR). However, conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the organization’s commitment to protecting the privacy of any personal information they collect, store, retrieve, use, and share. It is a comprehensive analysis of how the organization’s IT systems or applications process personal data.

PIA demonstrates that program managers and system owners in the organization have consciously incorporated privacy protections throughout the development life cycle of a system or program. PIAs allow an organization to communicate more clearly with the public about how they handle information, including how they address privacy concerns and safeguard information. Ideally, PIAs are supposed to be a public document shared or posted on the organization’s website upon completion. PIAs should be conducted in plain language and in a manner that allows the public to understand the activities of the organization. Ideally, and as a good practice, PIAs should be reviewed annually to ensure they are accurate, up-to-date, and relevant.

Carrying out a PIA does not need to be complex or time-consuming. However, thoroughness is necessary to ensure that potential privacy risks are identified and mitigated. The complexity of a PIA, and resulting documentation, will depend on the complexity of the project. The PIA process should be suitable for the needs of the project and your institution.

PIA also significantly benefits the organization - facilitating communication and collaboration between the different stakeholders–those impacted and affected. Identifying risks to privacy and data protection is not always easy, but it is certainly worth all the efforts, costs, and resources. A thoroughly conducted PIA provides the organization with greater control over the daily business processes and enables it to make informed decisions regarding the new initiatives. Privacy does not prevent cool things from happening, but it ensures that things are in the right way as mandated by laws or regulations and as one would reasonably expect.

Privacy risks or impacts fall into two broad categories:

• Risks to individuals: This includes identity theft and other forms of fraud, adverse impact on employment or business opportunities, damage to reputation, embarrassment, distress, or financial impacts.
• Risks to institutions: This includes the financial, legal, and reputational impact of privacy breaches and the consequences of violating privacy laws and regulations.

Do you need a PIA?

The Office of the Privacy Commissioner of Canada has developed a great assessment flowchart that could help to determine if an organization needs to do a PIA or not. This flowchart can be found below.

Risks of not undertaking a PIA include:

• non-compliance with the letter or the spirit of relevant privacy laws or regulations, potentially leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to public concern about handling personal information
• damage to an entity’s reputation if the project fails to meet expectations about how personal information will be protected
• identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions.

Potential benefits of undertaking a PIA include:

• ensuring that the project is compliant with privacy laws and regulations
• reflecting community values around privacy and personal information in the project design
• reducing future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting on privacy
• demonstrating to stakeholders that the project has been designed with privacy in mind
• promoting awareness and understanding of privacy issues inside the organisation
• contributing to broader organisational risk management processes
• building community awareness and acceptance of the project through public consultation.

A PIA may also assist an entity to demonstrate its compliance with its privacy obligations and its approach to managing privacy risk in the case of a future complaint, privacy assessment or investigation relating to the privacy aspects of a project.

Risks of not undertaking a PIA include:

• non-compliance with the letter or the spirit of relevant privacy laws or regulations, potentially leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to public concern about handling personal information
• damage to an entity’s reputation if the project cannot meet expectations about how personal information will be protected
• identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions.

Potential benefits of undertaking a PIA include:

• ensuring that the project complies with privacy laws and regulations
• reflecting community values around privacy and personal information in the project design
• reducing future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting privacy
• demonstrating to stakeholders that the project has been designed with privacy in mind
• promoting awareness and understanding of privacy issues inside the organization
• contributing to broader organizational risk management processes
• building community awareness and acceptance of the project through public consultation.

A PIA may also assist an entity to demonstrate its compliance with its privacy obligations and its approach to managing privacy risk in the case of a future complaint, privacy assessment, or investigation relating to the privacy aspects of a project.

Author: Emmanuel K. Gadasu – CIPM, CDPS, CEH, CHFI

(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

For comments, contact author [email protected] or Mobile: +233-243913077