privacy impact assessment (PIA)

What is a privacy impact assessment?

A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system. These assessments state what personally identifiable information (PII) is collected and explain how that information is maintained, protected and shared.

Regardless of where PII is stored, its privacy must be protected from data breaches and other cyberattacks. Information systems must have safeguards, such as PIAs, in place to protect data from privacy violations, especially in situations where privacy issues can be part of the cyberevent.

What's included in a privacy impact assessment?

Privacy impact assessments are mandated for federal government agencies but not usually in the private sector. Industry experts recommend that medium to large organizations that regularly deal in PII conduct regular PIAs as part of their overall data privacy and data governance programs.

A PIA should identify the following:

• Whether the information being collected complies with privacy-related legal and regulatory compliance requirements.
• The risks and effects of collecting, maintaining and disseminating PII.
• Protections and processes involved in information management and data processing to mitigate potential data privacy challenges.
• Options and methods for individuals to provide consent for the collection of their PII.

How is a PIA performed?

PII and related data are typically implemented on a variety of information systems. As a result, an organization's IT department is often the first point of contact for a PIA. Human resources departments also handle a lot of personal data. All systems in development as well as in production are candidates for PIAs.

Templates and software packages are available to assist in developing PIAs. They generally follow these basic steps:

1. Secure approval from management to conduct a PIA.
2. Define the purpose and goals of the PIA.
3. Establish a PIA team to gather data and perform the assessment.
4. Gather data, such as statistics on data protection activities and systems, types of data stored and how privacy is assured.
5. Identify the privacy controls to be assessed.
6. Determine if the assessment will be performed manually using a template or using software designed to perform assessments.
7. Conduct the assessment, ensuring the controls are addressed and evidence of how privacy is maintained is provided.
8. Schedule a preliminary review of the draft report with stakeholders.
9. Complete the report, including updates with amendments from the review process, and present the finished report to management.

Government regulations that require PIAs

Many nations have laws and regulations addressing privacy protections and requiring privacy programs. U.S. government agencies completing PIAs must make the reports available to the public. The following are some significant laws and regulations:

• E-Government Act of 2002. Under Section 208 of the U.S. E-Government Act, federal agencies must conduct PIAs for all government programs and systems that collect personal information online and through electronic systems. Federal agency chief information officers (CIOs), or an equivalent official as determined by the head of the agency, are responsible for ensuring that the PIAs are conducted and reviewed for applicable IT systems. The Act also mandates a PIA be conducted when an IT system is substantially revised. Federal agencies, such as the U.S. Departments of Homeland Security, Commerce and Health and Human Services offer guidance and templates to assist with developing and writing these PIAs.
• Privacy Act of 1974. This law includes a code of fair information practices that govern the collection, maintenance, use and dissemination of information about individuals. The Privacy Act requires Federal agencies to contain personal data in systems of records, which is a collection of records from which information about an individual can be retrieved by a name or personal identifier. The Act also requires that individuals give permission for the release of their information, except in cases where one or more of 12 statutory exceptions are demonstrated.
• Health Insurance Portability and Accountability Act of 1996. Part 164 of HIPAA addresses data privacy, including the use of PIAs and other assessments. Sections on HIPAA are often part of privacy audits in organizations that handle health information.
• General Data Protection Regulation (GDPR). A PIA is helpful when complying with Article 35 of the European Union's GDPR. It provides the GDPR-prescribed evidence that an organization is actively protecting privacy. Significant financial penalties can be assessed for noncompliance with GDPR.

The benefits of conducting PIAs

PIAs bring multiple benefits to organizations tasked with managing and safeguarding PII and other sensitive data. They include the following advantages:

• Trust. In addition to demonstrating compliance with privacy laws and regulations, PIAs build public trust and confidence in an organization and its business processes. They provide clear evidence of the information being collected, how it's stored, storage management systems used as well as access control systems.
• Evidence for privacy audits. PIAs can contribute important evidence in privacy audits and general IT audits. Even if organizations aren't required by law to conduct PIAs, these provide ample evidence that data practices are legal and ethical.
• Better understanding of data. Data from a PIA can provide valuable information on data characteristics. It can also identify any vulnerabilities associated with their data processing procedures and help reduce the likelihood of a data breach.

The challenges of conducting PIAs

Organizations opting out of conducting PIAs might have more difficulty detecting data vulnerabilities and their data privacy could be more easily compromised. However, PIAs themselves also pose challenges, including the following:

• Time-consuming and complex. The PIA procedure is complicated and often time-consuming. There are many aspects to consider, such as jurisdictions, the people involved, data ownership, tracking systems and workflows, as well as changes that require new policies as data centers and data center equipment change. A third-party service provider is an alternative if the organization is able to pay for it.
• Incomplete assessments. When an assessment isn't as comprehensive as it could be, some vulnerabilities can be overlooked. For example, every software app an organization uses must be vetted as part of a PIA, because even a seemingly harmless app or tool can compromise data privacy and security.
• Need for expertise. Organizations that fall under GDPR requirements must have data protection officers involved in their PIAs. People with expertise in privacy and cybersecurity issues are useful even for businesses not bound by GDPR.

Privacy impact assessment vs. privacy impact statement

PIAs examine the many aspects of how information is protected, and its privacy assured. The results of privacy risk assessments are presented in a summary report called a privacy impact statement. These statements are a component of the overall PIA.

A privacy impact statement might summarize the ways in which an organization has complied with GDPR, and an agency could request such a statement as verifiable proof of compliance. These reports are valuable tools for compliance.

Data protection impact assessments, or DPIAs, are also used to evaluate potential risks to sensitive information. Learn more with these DPIA tips and templates.