{"id":2637,"date":"2022-08-23T13:54:00","date_gmt":"2022-08-23T19:54:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2637"},"modified":"2024-10-24T11:32:41","modified_gmt":"2024-10-24T17:32:41","slug":"privacy-impact-assessment","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/","title":{"rendered":"Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment"},"content":{"rendered":"\t\t<section id=\"block_693cdaf44c6746ac747e88f63a8bd410\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_e38f015fa985ef6e6ee31c72b3542632\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>Not too long ago, privacy was an after-thought. Something that most customers and companies weren\u2019t overly concerned about.<\/p>\n<p>Now, most consumer concerns around connected devices include privacy breaches and unauthorized information gathering. Company privacy departments have grown from one person to an entire staff.<\/p>\n<p>Conducting a Privacy Impact Assessment (PIA) is a common process to ensure consumer data is collected safely and transparently while mitigating risk for the organization.<\/p>\n<p>Risks are identified and assessed while privacy and security teams act to minimize privacy risks for specific products, services, and systems.<\/p>\n<p>The assessment serves to help companies see where they stand in terms of privacy practices, thereby also helping companies protect consumers\u2019 personal data<\/p>\n<p><strong>Big data presents many commercial business opportunities but must be mined safely.<\/strong>\u00a0Several high-profile companies have made headlines for privacy breaches, and although it\u2019s possible to recover, it can be a long and slow process.<\/p>\n<p>Businesses of all sizes should consistently conduct PIAs. For companies that want to be around long-term, data privacy is not an option.<\/p>\n<h2>Consumer privacy concerns<\/h2>\n<p>In the past, TrustArc conducted numerous surveys asking people about their thoughts regarding smart technology, connected devices, and privacy issues.<\/p>\n<p><strong>It\u2019s clear from our surveys and\u00a0<a href=\"https:\/\/thedigitalstandard.org\/downloads\/CR_PrivacyFrontAndCenter_102020_vf.pdf\" target=\"_blank\" rel=\"noopener\">external research that consumers are concerned about privacy<\/a>, and businesses need to alleviate those concerns.<\/strong><\/p>\n<ul>\n<li>65% of American consumers say they are slightly or not at all confident that personal data is private.<\/li>\n<li>96% of Americans agree that more should be done to ensure that companies protect consumers\u2019 privacy.<\/li>\n<li>62% of smart product owners worry about the potential loss of privacy.<\/li>\n<\/ul>\n<p>A company\u2019s privacy team is responsible for ensuring that the organization uses personal data ethically and in a way that\u2019s consistent with the company\u2019s privacy policy.<\/p>\n<h2>Before starting a Privacy Impact Assessment (PIA)<\/h2>\n<p>To handle personal data, organizations must be as transparent as possible with customers while providing notice about how they will use customer data.<\/p>\n<p>If you give customers choices and control over how their personal data is used, they\u2019re more likely to provide information and trust the organization.<\/p>\n<p><b>Examples of personal data include<\/b>\u00a0contact information, social security numbers, driver\u2019s licenses, financial account information, individually identifiable health information, log-in credentials, device IDs, browsing habits, and personal preferences.<\/p>\n<p>Many businesses collect data without even thinking about it. Nevertheless, it\u2019s vital to be aware that you\u2019re collecting this information and ensure its protection.<\/p>\n<h3>PIA Budget and Timeline<\/h3>\n<p>Agree on a budget and clarify the PIA expenses to be incurred throughout this process before you start.\u00a0<a href=\"https:\/\/blog.trustarc.com\/2022\/05\/19\/roi-of-privacy\/\" target=\"_blank\" rel=\"noopener\">Factor in the ROI of reducing the company\u2019s risk<\/a>.<\/p>\n<p>These expenses typically include consulting fees, tools to automate the assessment process, and employee labor to conduct the assessment.<\/p>\n<p>For start-ups, employees sometimes abandon the process to put-out fires and launch other projects. All companies to set realistic timeframes and schedule regular meetings to monitor assessment progress.<\/p>\n<p>The privacy office will need an adequate number of employees to support the PIA process, which needs cross-department support on occasion. Assembling the right PIA team is essential to conducting a successful assessment.<\/p>\n<p><b>Some of the members a PIA team should include are:<\/b><\/p>\n<ul>\n<li>An executive responsible for the budget for the PIA \u2013 perhaps the CISO, CIO, DPO, CPO, or CTO.<\/li>\n<li>Privacy office staff to lead the effort and track daily progress.<\/li>\n<li>Product managers, IT managers, and marketing managers.<\/li>\n<li>Members of the company\u2019s legal team who are experts in data privacy.<\/li>\n<li>External privacy consultants to offer outside perspective and help ensure compliance.<\/li>\n<\/ul>\n<h2>Six steps for conducting Privacy Impact Assessments<\/h2>\n<ol>\n<li>Identify the need for a PIA with a Privacy Threshold Analysis<\/li>\n<li>Describe the data flows by data mapping<\/li>\n<li>Identify and assess privacy risks<\/li>\n<li>Identify and evaluate the solutions (remediation)<\/li>\n<li>Sign-off and record PIA outcomes<\/li>\n<li>Integrate the PIA outcomes back into the PIA plan of record<\/li>\n<\/ol>\n<p><strong>Conducting a PIA is an efficient way for a company to evaluate its privacy practices and pinpoint any weak areas.<\/strong><\/p>\n<h3>Starting a PIA<\/h3>\n<p>The first step in the PIA process is identifying the need with a\u00a0<strong>Privacy Threshold Analysis<\/strong>.<\/p>\n<p>Analyze each business asset and the privacy concerns surrounding those assets to determine the potential privacy impact.<\/p>\n<p>The questions in the threshold analysis are high-level, and the answers will determine which assets collect data in a way that needs further analysis.<\/p>\n<p>If the answers to the threshold analysis demonstrate that personal data is collected and used in a manner that requires further analysis, then the privacy team will fill out a PIA questionnaire.<\/p>\n<p>This questionnaire is more specific regarding the nature of data collection and other data practices. This initial process helps determine the scope of the assessment.<\/p>\n<p>Answers to the assessments analyze the collection of personal data, the sources of information collected, the intended use of the information, if it\u2019s shared with any third parties, and the mechanism for individuals to grant or decline their consent.<\/p>\n<p>Meticulously examining high-level privacy practices from the very start of this process will ensure the accuracy of the PIA. Going forward, the PIA will dive deeper into a company\u2019s privacy practices.<\/p>\n<h3>Describe data flows with data mapping<\/h3>\n<p>The second step of a PIA is to describe the information flows,\u00a0<a href=\"https:\/\/blog.trustarc.com\/2022\/07\/05\/data-inventory-mapping-compliance\/\" target=\"_blank\" rel=\"noopener\">also called data mapping<\/a>.<\/p>\n<p>Using a data map, organizations can ensure executives \u2013 in addition to the privacy team \u2013\u00a0<strong>know how data flows through their organization<\/strong>.<\/p>\n<p>By examining the data map, those conducting the PIA can focus on how data flows into, through, and out of an organization \u2013 and identify any gaps where data is not protected.<\/p>\n<p>Data mapping also precisely answers why data is collected, where it\u2019s stored, who can access it, and other important questions.<\/p>\n<h3>Identify and assess privacy risks<\/h3>\n<p>The third step is to identify and assess privacy-related risks. After creating the data map, it can become easier to\u00a0<a href=\"https:\/\/blog.trustarc.com\/2022\/05\/10\/proactively-manage-privacy-risk\/\" target=\"_blank\" rel=\"noopener\">identify where potential risks<\/a>\u00a0in the data collection process are for the organization being assessed.<\/p>\n<p><strong>To start identifying risks, examine:<\/strong><\/p>\n<ul>\n<li>where notice and choice to an individual are not adequate<\/li>\n<li>when security controls are insufficient<\/li>\n<li>and when data quality is compromised<\/li>\n<\/ul>\n<p>This step helps communicate to executives and stakeholders the exact privacy risks that the organization could face.<\/p>\n<h3>Remediation<\/h3>\n<p>Step 4 is to identify and evaluate solutions for privacy gaps that were discovered in the initial steps. Experts should create a remediation plan and determine which features must be implemented.<\/p>\n<p>Prioritize outstanding privacy risks that need to be addressed and changes to any privacy policies, procedures, or processes. Some risks will require escalation to executives with the authority to execute the solution.<\/p>\n<p>Follow the documented remediation plan so you can later demonstrate how the organization address known privacy risks.<\/p>\n<h3>Sign-off and record PIA outcomes<\/h3>\n<p>The remediation plan from step 4 is recorded for future use as the PIA plan of record. A compliant business will\u00a0<strong>document the problem and solution in detail<\/strong>, except for data covered under the non-disclosure agreements.<\/p>\n<p>The main value of the plan of record lies in keeping it accessible and useful for the next time the same product or activity is up for review or if a problem arises. Maintain the plan to preserve its value.<\/p>\n<h3>Integrate outcomes into the PIA plan of record<\/h3>\n<p>The final step is to integrate the outcomes back into the PIA plan of record. Essentially, to fill the identified gaps.<\/p>\n<p>This document lists the people responsible for overseeing the remediation effort and clarifies the steps required to remediate risk.<\/p>\n<p>Don\u2019t miss the opportunity to record the lessons learned to reduce the risk of future issues. A carefully maintained PIA plan of record details the ground that has already been covered and reduces the risk in future efforts to gather information.<\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Insight_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Data Mapping &amp; Risk Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Automate data mapping and ROPAs to generate data flow maps for compliance.<\/p>\n<a href=\"https:\/\/trustarc.com\/products\/privacy-data-governance\/data-mapping-risk-manager\/\" class=\"cta\">Find out more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Folder_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Assessment Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Automate and score privacy assessments like PIAs and AI Risk, streamlining your compliance workflow.<\/p>\n<a href=\"\/products\/privacy-data-governance\/assessment-manager\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/privacy-assessments\/\" class=\"badge\">Privacy Assessments<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/risk-management\/\" class=\"badge\">Risk Management<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>Follow 6 steps to conduct a Privacy Impact Assessment (PIA) and ensure consumer data is collected safely while mitigating risk for the organization.<\/p>\n","protected":false},"featured_media":1692,"template":"","topic-resource":[71,68],"type-resource":[6],"class_list":["post-2637","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-privacy-assessments","topic-resource-risk-management","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment | TrustArc<\/title>\n<meta name=\"description\" content=\"Follow 6 steps to conduct a Privacy Impact Assessment (PIA) and ensure consumer data is collected safely while mitigating risk for the organization.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/\",\"name\":\"Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"datePublished\":\"2022-08-23T19:54:00+00:00\",\"dateModified\":\"2024-10-24T17:32:41+00:00\",\"description\":\"Follow 6 steps to conduct a Privacy Impact Assessment (PIA) and ensure consumer data is collected safely while mitigating risk for the organization.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-impact-assessment\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment | TrustArc","description":"Follow 6 steps to conduct a Privacy Impact Assessment (PIA) and ensure consumer data is collected safely while mitigating risk for the organization.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/","url":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/","name":"Mitigate Risk, Protect Consumer Data With a Privacy Impact Assessment | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","datePublished":"2022-08-23T19:54:00+00:00","dateModified":"2024-10-24T17:32:41+00:00","description":"Follow 6 steps to conduct a Privacy Impact Assessment (PIA) and ensure consumer data is collected safely while mitigating risk for the organization.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/privacy-impact-assessment\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1692"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2637"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2637"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}