Looking under the hood: Top 10 issues arising in PIAs

Done well, a privacy impact assessment (PIA) can be an excellent tool for assessing and mitigating privacy risks. As my colleague Constantine wrote earlier this year, instead of simply being a box-ticking, rubber-stamping exercise, PIAs can actually inspire confidence with your stakeholders, your organization, and your regulators. I also see PIAs as a valuable, customizable process that’s documented rather than a document in-and-of-itself. As they say, it’s not just about the destination, it’s the journey that counts.

In this post I wanted to share the top 10 issues I keep seeing pop up in the PIAs I’ve been conducting.

1. Lack of privacy protections in vendor contracts: Many PIAs these days involve assessing the involvement of a third party in support of a certain project or initiative. In almost all cases, there are minimal to non-existent protections for the personal information involved baked into those contracts, so we help strengthen them to protect our clients.
2. Confusing privacy notices vs policies: These terms are often used interchangeably, which can lead to confusion. Both are important, but they serve somewhat different purposes. A privacy notice or statement is the communication shared with individuals, usually at the point of collection of data for a purpose. A privacy policy details an organization’s personal information handling practices and is meant to help its employees follow the rules, although you’ll often find a version of it online, tailored to the public.
3. Mixing up data transformations: Using the correct privacy enhancing technology in the right circumstances can be hugely beneficial for protecting and leveraging data. That said, there is still some confusion about when and how to aggregate, de-identify, synthesize, anonymize, and so on. Too often only minimal data transformations are contemplated with the assumption that it’s sufficient and without any assurances the approach meets industry standards.
4. Necessity vs nice-to-have: Data is gold, so applying significant rigour to ensure what is collected is absolutely necessary and not just nice-to-have can be tough, especially when we can imagine lots of potential secondary uses down the road. Limiting collection, however, is an excellent way to minimize privacy risks in the event of a breach or regulatory investigation.
5. Program’s commitment to privacy: We get it – privacy can be a pain for your program folks. But we guarantee it will be a bigger pain if a privacy problem with their project or initiative is discovered after implementation. Building trust across an organization so that the CPO is not the office of “no” but of “here’s how” takes time and we help with that.
6. Inadequate security controls: Many organizations are quite confident in the robustness of the technical, administrative, and physical controls they have in place to protect data. That said, we always uncover important gaps in each of the three categories. What I see missing most often are stricter access and authentication controls.
7. Internal guidance and training missing: Strong technical safeguards only work if they’re complemented by policies and directives for staff. These need to be kept current, people need to know they exist, and they need help learning and following them, through proper training. We’re big advocates of privacy training across the organization.
8. One-and-done policies and processes: The privacy work and products aren’t of much use if they just gather dust somewhere and aren’t kept evergreen. We’ve seen policies and processes left untouched in 10-20 years and so much can change in that time. Built into our PIAs is the leverage our clients need to ensure their organization’s privacy work is kept current.
9. Flawed data flows: Data flows are increasingly complex and understanding how the data moves, to whom it goes, for what purpose, and how it’s protected along the way can help pinpoint – and correct – weaknesses. It’s a worthwhile part of the PIA process we encourage our clients not to skip.
10. Destruction and disposal forgotten: There’s so much more information and guidance out there on respecting the other key privacy principles. When we conduct PIAs we find that not enough attention is paid to how organizations either get rid of data or sufficiently transform it when it’s no longer needed.

Something we’re pleased to see, more and more, is that organizations are coming to us for PIAs at the beginning of projects or initiatives, before things are fully baked. The PIA then becomes a tool to help them implement using a privacy-by-design approach.

The nNovation team has decades of experience conducting PIAs in a way that’s streamlined, collaborative, effective, always interesting, and sometimes – dare we say – even fun. If your organization needs a PIA or other type of privacy risk assessment, reach out to us!