Telling your privacy story through a PIA

As privacy regulations have proliferated, companies have been scrambling to address the many new compliance requirements. One component that can prove challenging to implement is the Privacy Impact Assessment. 

Note: you can see our earlier whitepaper here.

While the Privacy Impact Assessment may initially be considered a compliance exercise, when properly leveraged it can be a valuable sales tool for organizations looking to tell their privacy story.

What is a PIA?

A Privacy Impact Assessment is an exercise designed to assess and minimize the potential harm to data subjects of a particular processing activity. The PIA is considered a key safeguard for employing privacy principles such as accountability, data minimization and proportionality.  

The PIA should be recognized as distinct from a standard risk assessment, which focuses on risks to the business. The focus of the PIA is the effect of processing on data subjects. To emphasize this point, some businesses refer to their PIA as a Human Impact Assessment, or HIA.

For example, a PIA may examine the possible consequences if an individual is improperly profiled and, as a result, receives an adverse decision on a loan application. PIAs may also examine the risks of combining various data sets in a novel way to gain new insights into data subjects.

Generally, a PIA is not finalized until risks are reduced to an acceptable level.

Who needs to complete a PIA?

PIAs are generally a data controller’s responsibility. The controller is the entity determining how data will be processed. 

Thus, an organization considering using a customer relationship management platform would be responsible for preparing the PIA regarding the risks to data subjects. However, GDPR Article 28 makes it clear that one of the processor’s responsibilities is to assist the controller with PIAs, as necessary. 

Assisting with a PIA should be considered a minimum requirement for data processors. To enhance the value of the PIA, many processors have begun to prepare unclassified PIAs to share with prospective customers. This allows processors to proactively communicate their privacy story.

The PIA demonstrates to prospective customers that you have considered privacy risks and taken actions to address those risks.  

Similarly, many data controllers have begun to inquire about and request copies of PIAs when considering whether to engage a third-party processor. The PIA allows the controller to make an informed decision about the impact of the activity the third-party processor will perform, and whether it aligns with their organizational risk profile.  

What now?

A Privacy Impact Assessment can have an impact far beyond fulfilling a compliance requirement. Consider how you can leverage it in the sales process to ease privacy concerns and shorten the sales cycle.

Want to know more about completing a Privacy Impact Assessment? Contact us here.