January 23, 2018 Practice Points

Your Client’s Privacy Posture: The Need for a Privacy Impact Assessment

By Leonard Wills

Privacy impact assessments (PIAs) or data privacy impact assessments (DPIAs) remain essential to a company’s privacy program. The PIA is an internal document that assesses the effectiveness of privacy protections within an organization. It helps to ensure that a company safeguards the personal identifiable information of its customers. The list below provides a few inquiries addressed in a PIA.

1.      How information is collected.
2.      What information is collected.
3.      Why information is collected
4.      The intended routine use of information.
5.      The scope of usage of information.
6.      With whom information will be shared.
7.      What notices or opportunities individuals have to decline to provide information.
8.      How information will be secured.
9.      The retention schedule of information.

The PIA requires detailed information about how data flows through the system. Before drafting a PIA, the privacy compliance analysts, or attorneys must meet with the system owners or program owners to learn how the system collects, uses, stores, and retrieves data. The program or system owner may need to clarify or reiterate how the data flows so that accurate information can be documented in the PIA. This process will involve frequent communication between the involved parties.

System owners may also provide a system demonstration. A demonstration allows analysts or attorneys to observe first-hand how the system collects, stores, and uses data. A system demonstration alone, however, may not suffice. Many aspects of data collection may not show up during a demonstration. For instance, processes exist to collect data before the system becomes operational. These processes should be included in the PIA.

Working alongside the analysts or attorneys, the information technology (IT) team plays a critical role in data protection. Security and privacy often work hand in hand—even if sometimes they have different functions. For instance, cybersecurity analysts leverage technical tools such as vulnerability scanners and penetration tests to address vulnerabilities in the network. The cybersecurity team must also have a strong patch management to ensure network services and systems receive updates. Without such processes, the likelihood of a data breach increases significantly.

Generally, the PIA does not delve into contractual agreements with third-party vendors. It should be noted, however, that many data breaches occur because of vulnerabilities in third-party systems. Attorneys should inquire about any third-party vendors, and include those vendors in the company’s risk management process regarding data protection.

A PIA holds firms accountable and mitigates the risks of a data breach—along with its associated costs. It serves as a guide during the initial design process of a system or service, and during the operational phase too. Attorneys or privacy analysts should regularly review and update the PIA as necessary. In addition, they must also work with the cybersecurity team to ensure that strong data protection remains in place.

Leonard Wills is a presidential management fellow with the U.S. government in Washington D.C.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).