PIAs and Reassessments in WireWheel
What is a Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is an assessment or questionnaire that collects information on how personally identifiable information (PII) is collected, stored, protected, shared and managed.
A PIA is usually designed in a survey format and, at the very minimum, should answer the following questions:
- What and how information is collected?
- Why is the information collected?
- What is the intended use of the information?
- Who will have access to the information?
- With whom will the information be shared?
- What safeguards are used to protect the information?
- For how long will the data be retained/stored?
- How will the data be decommissioned and disposed of?
- Have Rules of Behavior for administrators of the data been established?
The PIA should be completed, reviewed, and the records should be maintained for reference.
Why are Privacy Impact Assessments needed?
Privacy Impact Assessments are required under several privacy laws passed over the last 20+ years. PIAs are seeing an increase in momentum as privacy legislation has gained traction and the requirements have expanded.
- The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct PIAs for electronic information systems and collections.
- The instrument for a PIA or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR).
- Starting in 2023, some US State Privacy laws, including laws in California, Colorado, Virginia and Connecticut, will require PIAs for vendor assessments and for high-risk data processing activities including laws
The EU’s GDPR requires a Digital Privacy Impact Assessment (DPIA) must be conducted when the processing could result in a high risk to the rights and freedoms of natural persons.
- A DPIA is a type of risk assessment. It helps you identify and minimize risks relating to personal data processing activities. DPIAs are also sometimes known as PIAs (privacy impact assessments). We have had a few clients who conduct compact PIAs and if a high-risk system is identified then they trigger a DPIA or High-Risk Assessment.
- The EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing. This ensures that you can mitigate data protection risks.
- If processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.
- For example scoring/profiling, automatic decisions which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data that is processed on a large scale, the merging or combining of data that was gathered by various processes, data about incapacitated persons or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside the EU/EEC and data processing which hinders those involved in exercising their rights. However, if several criteria are met, the risk for the data subjects is expected to be high and a data protection impact assessment is always required.
How to get started with your Privacy Impact Assessment
Many companies start out using spreadsheets as a way to collect the information required for a PIA. However, they find that it can be very difficult to track and manage these assessments without a tool.
Leveraging deep privacy expertise, WireWheel has developed a software solution to help companies manage assessment, the WireWheel Privacy Operations Management (POM) platform. The tool helps companies to easily design and conduct assessments.
Users create a template, which is a list of questions that need to be answered. The template is then used to kick off multiple assessments. Templates can be structured to include questions to understand whether or not the collection and use of personal data are in compliance with data protection regulations. This information can be mapped to asset inventories.
WireWheel has standard templates that cover key regulations and requirements and also helps to build custom templates to suit a client’s specific requirements.
The WireWheel Privacy Operations platform enables users to manually trigger assessments or for a vendor to self-initiate an assessment if required. Once an assessment is triggered, a user can assign the questions to vendors or suppliers or system owners to answer. The responses are reviewed and approved by the assessment owner and the platform ensures that the detailed assessment responses are recorded so a company can prove compliance if audited.
What happens after the PIA is complete?
Once the PIA is completed and documented, a company will typically set criteria to trigger another PIA or a reassessment.
Typically this happens when any of the following activities occur:
- Developing, or procuring any new technologies or systems that handle or collect personal information
- Developing system revisions; when substantial changes are introduced to an existing data processing system
- Issuing a new or updated rulemaking that affects personal information.
- When an existing data processing system is involved in a major data breach or recurring security incidents
- When it is according to a predetermined schedule
According to the EU’s GDPR, the reassessment process must be repeated at least every three years.
How does WireWheel help with reassessments?
WireWheel maintains a record of all completed assessments and enables customers to determine the need for reassessments using product features like reporting, tag management, or assessment details like “Last completed” date and so on. Based on certain criteria like high-risk scores, data breach alerts, or the last completed assessment, the privacy/legal team can identify the need for a reassessment and initiate it using the previously submitted assessment.
Reassessments can be triggered in the WireWheel platform by any team or individual with the appropriate permissions. Clients start with the creation of a copy of the completed assessment so that the responses submitted previously will be automatically pre-populated. The reassessment will use the latest, published version of the same template that was used to create the original assessment and use the review workflow that the original assessment used.
A completed assessment at WireWheel will include the responses submitted by the assignee, assignee(s) information, completion timestamp, and tags if any.
In WireWheel, a copy of the completed assessment can be created by navigating to “Create a Copy”:
The newly created reassessment provides the ability for the owner to assign all the questions or just the relevant questions to the assignee(s) for updates. The responses previously submitted by the assignee will be pre-populated and available for the assignee to review and edit.
Once the assignee updates and submits the reassessment, the owner reviews and approves the responses. The reassessment is then saved as a new record with the latest responses submitted by the assignee, assignee(s) information, new completion timestamp, and tags if any.
How do you compare one assessment to another?
WireWheel provides users the capability to compare the responses in an assessment using the default reporting feature. The platform allows the users to select the relevant assessments that they want to be included in the report and reports can be downloaded to the individual user’s system as well.
With more and more regulations requiring Privacy Impact Assessments, leveraging a tool like WireWheel’s Privacy Operations Manager can help companies ensure that companies are handling personal information properly.