Is it time for your business to invest in a Privacy Impact Assessment?
Maybe you’ve thought about it a little: is your business doing enough to protect the privacy of the data you collect. Perhaps recent news headlines over the past year have your board of directors talking about it a lot: we need to make sure we’re complying with relevant privacy legislations.
Some pundits continue to assert privacy is dead and no longer matters. Not so; if it were true than how do you explain the expensive corpse? According to a recent study by IBM, the cost of a data breach now ranges from $148 to $408…. per record. Worse, that’s just the tip of the iceberg: neglect of privacy and security practices can cost big bucks, from system reparations to lost customer trust, shattered reputations and high bills from regulatory bodies. While the expansion of the Internet of Things and improving Artificial Intelligence technologies are bringing in new opportunities, poor privacy practices are bad for business.
Question is, where to start? How do you know what level of privacy safeguards your organization needs, where they need to be and how to implement them? What can help triage your pain points, identifying both immediate concerns and providing recommendations to meet larger privacy protection goals? How can your organization be confident when working to earn community trust?
The answer is the Privacy Impact Assessment (PIA).
A PIA is a valuable tool for your organization to understand and identify existing privacy challenges. Under an impact assessment, consultants or qualified in-house expertise take a look under the hood of your organization's data processes and protection measures.With a PIA, management can see clearly what protection measures they have, current retention and data use, to see where risks are high and when existing practices aren't enough. A good PIA will also provide the company with an understanding of which privacy laws apply to their work, a better understanding of existing or desired data processes, and advice on compliance with recommendations to use going forward. Often, PIAs are done alongside security threat/risk assessments, with the two practices complementing each other. A threat/risk assessment will focus particularly on technical and physical hardware vulnerabilities, while a PIA will dive deeper into people, policy and management problems. In some industries and locations, a PIA may be required by law prior to new projects going forward. Consider the following for your organization:
- Does your business or tool collect, process or store personal health information?
- Do you work with or sell to the medical community?
- Do you operate in the public sector, or for a crown corporation?
- Are you introducing a new technology or process that has privacy implications for government entities?
- Do you collect or process the personal information of vulnerable populations?
- Are you working with sensitive demographics, including children, elderly, racial minorities, religious associations or gendered communities?
- If your business working with data on an international scale?
- Are you collecting or processing other categories of industry sensitive information?
- Do you want to prove your business takes privacy seriously, and show business prospects clear evidence of your organization's commitments?
Any answers of 'yes' to the above are signs a PIA should be on your radar. Here’s why:
Why your business likely needs a Privacy Impact Assessment if you collect, process or retain personal health information
If your business processes data and works in, supports or sells to the medical sector, a PIA is likely required by law before you go to market. Health information has been considered 'private' for thousands of years, right down to the Hippocratic Oath. Our bodies, our lives, our information: there are a wide variety of reasons for a patent need their health information kept confidential, including protection against embarrassment, concerns over family grief, to fear of exclusion from local communities. Unfortunately, personal health information is also a valuable target for malicious users, with recent reports revealing medical records sell on the black market for up to $1000 per patient, depending on the identity and level of detail. If your business works in or supports medical services, be sure to understand the information you collect and how you fit under existing health privacy laws if they apply. Examples of health legislations and regulations which require privacy or data protection assessments include:
- Health Insurance Portability and Accountability Act (HIPAA)
- Individual Provincial Health Legislations in Canada, including Nova Scotia, Alberta, and New Brunswick
- Individual States within Australia, such as the Health Records Act of Victoria
- The General Data Protection Regulation (GDPR), which holds specific classifications for health, genetic and biometric data
Why you may need a Privacy Impact Assessment if involved in government departments, agencies or companies that works for them.
In Canada, PIAs are required for departments, crown corporations and investments that are introducing “new or redesigned programs and services that raise privacy issues”. This is legislated under the Privacy Act at the federal level, and by freedom of information/access to information and privacy protection laws at the at provincial and municipal levels. In the United States, PIAs are required at the federal level by the E-Government Act of 2002, and may additionally be legislated by state. Other legislations that require assessments prior to adoption of new data processing technologies within the public sector include:
- The Freedom of Information and Protection of Privacy Act of Ontario
- The Access to Information and Protection of Privacy Act of Newfoundland
- The Ohio State Privacy Act
Why a Privacy Impact Assessment should be considered if your organization works with sensitive information.
While a PIA may not be legally required for all data processors, they can be particularly helpful if your company deals with sensitive information and populations. In particular, they can bring awareness about specific laws and standards that are unique to your industry. For example, U.S. enterprises processing the data of children under the age of 13 are subject to the Children's Online Privacy Protection Act (COPPA). Those who process payment cards in-house would be wise to pay close attention to the PCI-DSS, the Payment Card Industry Data Security Standard, and many banks across the globe follow Basel III. Other examples of specific legislation and standards include:
- Gramm-Leach-Bliley Act for Financial Institutions in the U.S
- California Consumer Privacy Act(when in force in 2020)
- Illinois Biometric Privacy Act
- Washington Biometric Privacy Law
- Texas Biometric Privacy Law
Why a Privacy Impact Assessment is valuable for operations that operate on an international scale.
Does the data your organization collect or process ever transfer over borders? Privacy laws is not uniform across the globe: while many countries regulations may share a common history, such as the Organization for Economic Cooperation and Development’s privacy principles. In Canada, privacy is regulated within the private sector through the Personal Information Protection and Electronic Documents Act (PIPEDA). In May 2018 the highly publicized General Data Protection Regulation (GDPR) came into force in the European Union, having jurisdiction over all organizations that collect or process the personal information of member state data subjects. China is reviewing its privacy law, but all information is subject to the Cybersecurity Law of the People's Republic of China, while Hong Kong, considered a special region (officially the Hong Kong Special Administrative Region of the People's Republic of China), has the Hong Kong Personal Data Privacy Ordinance. Depending on where and how you do business, the different laws may have different requirements for compliance, and even different definitions of what data is personal information. In addition to the well-known GDPR, examples of privacy legislations across the globe include:
- Federal Data Protection Act (Mexico)
- Personal Data Protection Law (Argentina)
- Law for the Protection of Private Life (Chile)
- Protection of Personal Information Act (South Africa)
- Personal Information Protection Act (Japan)
Why a Privacy Impact Assessment can benefit your business even if not required by legislation.
Proactive protection measures do more than help an organization comply with legislations: privacy is good for business. Those that build privacy into their product and services reap the benefits: it’s no accident that the first thing the owner of a new Apple iPad sees is a clear statement about privacy and data collection practices. Other big players who pay careful attention to their privacy practices include Telus, the Canadian national telecommunications company, and entertainment software giant Ubisoft. If your business has started with privacy and wants a scorecard to reflect its strengths and areas for improvement, or you want solid evidence to back up that you have the best privacy practices, a PIA delivers.
Whether you’re developing a new product or want an overhaul of daily organizational practices, investing in a Privacy Impact Assessment demonstrates commitment to better privacy in your organization. Like a performance evaluation, it can identify strengths, weaknesses, and recommendations for improvement. As a document, your PIA can be summarized for interested investors, provide marketing points to showcase some of your practices, or given as a whole to regulatory bodies if questions crop up. While there’s no gold seal for the privacy of products (yet!), having a completed PIA on-hand is the industry’s closest equivalent, and likely to be required if future certifications become established. If your team is ready to show it takes privacy seriously, talk and plan for a PIA in the near future.