Nowadays, consumers live more and more of their lives online; but that also means that more and more of their data can be accessed not just by them, but by other consumers, or even by brands. Businesses are now responsible for protecting their data subjects’ information not just to avoid the legal headaches that come with noncompliance, but also to foster an environment of trust with their customers.
This is why your business needs to conduct a privacy impact assessment (PIA) on a regular basis. This article will discuss some of the key items that you should know about privacy impact assessments. If you would like to help your business be on the safe side in terms of data privacy protection, then this article is perfect for you.
What is a privacy impact assessment and why should you do it?
A privacy impact assessment is a systematic procedure of identifying risks and factors that may negatively impact pieces of private information that an organization collects, processes, and stores, regardless if it is in digital format or not. It also includes recommendations and action items on how to prevent, mitigate, manage, and resolve security breaches that lead to compromised private data.
Businesses and organizations need to do regular privacy impact assessments to ensure they are compliant to the Data Privacy Act (DPA). It is also done to establish trust with consumers, that their private data are safe and processed according to the implementing rules and regulations of the DPA.
How does one conduct a Privacy Impact Assessment?
Below are the 5 items included in the mandatory scope of a privacy impact assessment:
- A clear description of the data processing system. For digital systems, it must, among other things, specify where the data collected will be stored, who processes and stores the data, and whether or not the data and data processing follows industry standards.
- Clearly define the purpose of data collection and processing.If data is not needed to be stored after processing, the privacy impact assessment should include a step-by-step procedure that ensures data is properly disposed of after its original purpose of processing has been carried out.
- Itemize the personally identifiable information (PII) that is involved in the processing.Any private information that is deemed not necessary should not be included. Your Data Privacy Officer must ensure that only relevant private data must be collected, processed, and stored.
- Describe the flow of personal data from collection to processing to purging.In each phase, it should show that proper information security measures, best practices, and industry standards are implemented to ensure these personal data are protected from possible attacks.
- Identify and describe the existing data security measures that cover the organizational, physical, and technical aspects.This includes ensuring the physical premises where data is stored is secured. It should implement external access restrictions to digital data processing systems via firewalls, antiviruses, and demilitarized zones.
Do I need to conduct a Privacy Impact Assessment?
Your appointed Data Privacy Officer (DPO) is the one who is ultimately responsible to ensure that your business regularly conducts privacy impact assessments. They are also responsible to take the necessary action that consistently improves internal policies to ensure better personal data protection. Your DPO needs to do these things and more in order to keep your business compliant to the Data Privacy Act.
However, this does not mean that you should leave it all to your Data Privacy Officer. With each privacy impact assessment, enjoin everyone, from your rank and file employees to your executive leadership team, to have a united front to foster a culture of protecting customers’ private data.
Take, for example, the case of online lending apps that allegedly violated the Data Privacy Act. The people behind these online lending apps resort to calling the borrower’s family, friends, and employers when they are not able to pay off their loans. This tactic was facilitated by the lending apps’ access to the borrowers’ contact list.
A simple privacy impact assessment would have shown that collecting the contact numbers of the people in the borrowers’ contact list is not necessary for the lending app to carry out its purpose of lending money to the borrower – nor did they have the option to give or withdraw their consent.
A Data Privacy Officer would have advised them to exclude this from the data collection process. More importantly, the Data Privacy Officer could have lobbied this to the executive team as a high-risk factor when it comes to complying with the Data Privacy Act.
Why should I care about Privacy Impact Assessments?
Your DPO will need your help to safeguard the delicate personal information of your customers. You can do your part by ensuring you follow internal rules, policies, and protocols to protect customer information. You can also encourage your colleagues to do the same.
Protecting private data is not the sole responsibility of your DPO. Though they are leading your organization in the journey to becoming compliant, they still need your help to be successful in crafting the right privacy policies, regularly conducting privacy impact assessments, ensuring a follow through for action items to address risks that were found in the PIA, and continuing to improve the data security standards, practices, and protocols within the organization.
Want to learn more about data privacy? Visit this page for related articles.