If you’re concerned about the privacy of your employees and customers (hint: you should be) you’ve likely heard of the Privacy Impact Assessment (PIA). But what exactly is a PIA? When does your business require one? What does a good PIA look like? And where do you start? Don’t worry – we’ve got you covered. In this blog we’ll go over everything you need to know about Privacy Impact Assessments.
What is a PIA?
Privacy Impact Assessments (PIA) offer important insights on projects that collect, store, use, and/or disclose Personally Identifiable Information (PII). The resulting insights can not only save you time and money, but can protect you and your company from real dangers.
Generally, a PIA will be required if your project could have an impact on the privacy of an individual’s personal information. So it’s important to conduct a PIA before embarking on any new or updated projects – or at the very least, as early as possible – to ensure regulatory compliance and avoid misusing or even exploiting the data you handle.
A comprehensive PIA will identify and assess how compliant a project is with legal and regulatory compliance requirements, as well as the privacy of your clients, vendors, and even employees. In this context, a project can be defined as any proposed or existing information systems, technology, programs, or processes.
A PIA should identify:
- Whether your project is compliant with privacy-related regulatory requirements.
- Data collecting practices that could impact the privacy of the person the collected data is about (the data subject).
- Recommended safeguards, processes, and strategies to address any identified weaknesses and vulnerabilities in your project.
Does my company need a PIA?
Depending on your company’s specific security and privacy needs and the frameworks you have to be compliant with, a PIA may or may not be required.
First things first – determine if your company is dealing with Personally Identifiable Information (PII). Section 2(1) of the Freedom of Information and Protection of Privacy Act (FIPPA) defines personal information as “recorded information about an identifiable individual”.
This can include, but is not limited to:
- Biographical information (e.g.name, sex, age, race)
- Biological information (e.g.face, fingerprints, blood type, etc.)
- Medical history/ personal health information (PHI)
- Criminal history
- Financial information
- Identifying numbers (e.g. Social Insurance Numbers)
- Contact information (e.g. personal address, phone number, etc.)
- Personal opinions and views
If your company is dealing with PII, a PIA will likely be essential for your security and privacy compliance. While public sector organizations have been required to implement PIAs for many years now, it’s becoming more and more common for private sector companies to need one to be compliant.
The European Union’s General Data Protection Regulation (GDPR) requires all compliant organizations to conduct Data Protection Impact Assessments (DPIAs) to identify and assess any potential high risks. Fines for failing to comply with GDPR can cost up to €20 million or four per cent of global revenue (whichever is greater). Since the GDPR began enforcing compliance, total fines issued due to non-compliance have surpassed a whopping €1.3 billion!
That’s a pretty high cost to avoid doing a bit of due diligence.
If you are planning to work with a healthcare provider or organization that deals with virtual patient care in Ontario, Canada, you will be required to provide an acceptable PIA to comply with the Ontario Telemedicine Network (OTN) and Ontario Health regulations.Based on Quebec’s new Privacy Legislation, all businesses will be required to conduct PIAs before an acquisition, development, or redesign of any information system or electronic service delivery project that deals with the collection, use, disclosure, storage, or destruction of Quebec citizens’ personal information.
While you may feel tempted to only conduct a PIA if you need to achieve compliance, there are a lot of benefits of carrying one out without being legally required to. A PIA provides:
- A clear demonstration of your company’s commitment to security and privacy
- A thorough review of the project’s privacy compliance and recommendations on how to improve
- A quantifiable form of evidence for:
-
- Clients looking to make an informed decision that includes their vendor’s security and privacy practices.
- Potential privacy breaches or complaints.
- Proof of compliance during an audit.
-
- A roadmap that will reduce the number of redundant tasks and help you avoid costly mistakes .
What does a good PIA look like?
As with most things in life, not all PIAs are made the same. The Carbide technical team will often say “to receive the true benefits you don’t just need any PIA – you need a good PIA.”
Seems obvious, right? Unfortunately, particularly for fast-growing companies, the appeal of taking the fast way will often trump doing things the right way. This results in PIAs that are full of gaps, are too vague for auditors to accept, and end up being a waste of time, money, and effort.
Carbide’s Director of Security Advisory, Diane McCarthy explains that “auditors and potential clients don’t just need to know that you’re securing the data you work with. They need to know how. When it comes to a good PIA, thoroughness and attention to detail are essential.”
A good PIA should include:
- Executive Summary – An executive summary that outlines the details on PIA including timeline, scope, team, methodology, and systems under review.
- Policies & Safeguards – An overview of the company’s existing security and privacy policies and safeguards like awareness training, incident response, and access management.
- Data Information – Details about the information systems, the types of data and how it collects, analyzes, protects, distributes, stores, and/or destroys the data it deals with.
- Regulatory Assessment– An assessment of regulations that apply to the company and confirmation of whether or not the company is in compliance.
- Recommendations and Action Plans – Details on how you can improve your information systems and project plan.
Where do I start with implementing a PIA?
There are generally 4 steps to conducting a PIA.
1. Preliminary Analysis:
- Assess the need for a PIA by determining if your project deals with PII in any way.
2. Project Analysis:
- Identify your team and assign responsibilities.
- Determine the requirements for the frameworks that apply to this project.
- Review of the project including its purpose, benefits, timeline, and deliverables.
- Clearly define the scope, legal requirement, and objectives of the assessment.
3. Privacy Analysis:
- Cross reference the information gathered in Step 2 with the framework requirements to identify potential impacts to privacy.
- Review internal and third party information security, data privacy policies, and data maps.
- Establish a clear understanding of all PII and PHI.
- Identify privacy risks and their impacts on framework regulations and internal policies.
- Develop mitigation strategies to address these weaknesses and vulnerabilities.
4. Create the PIA Report:
- Discuss findings and opportunities for improvement with senior management and technical leads.
- Summarize the project, objectives, privacy issues, privacy impacts, action plan, dependencies, and timelines to seek approval from decision-makers.
- Once you have received approval, move forward with your mitigation strategies and the project.
Keep in mind, this is a very general overview of a PIA and the complexity and depth of every PIA differs depending on the company, their project, and their specific security and privacy requirements. This is why engaging an expert with experience and insights can streamline the process. Conducting a PIA is a tedious process, but it doesn’t have to be difficult!
Not sure where to start? Connect with the Carbide Team to learn more about how we can support your security and privacy journey with comprehensive solutions including PIAs.