Privacy laws are evolving continuously, and organizations need to develop their privacy programs accordingly. Although GDPR has been broadly accepted across the EU, some of its member states like the UK, Ireland have introduced customized local data protection laws in addition to the principles of GDPR. Many US states have or are expected to pass comprehensive privacy laws based on the principles of CCPA. Similarly, Brazil, Thailand, Singapore, New Zealand, China, and many other countries have passed new data protection laws or have materially amended existing ones. The lack of uniformity between these regulations makes it very difficult for organizations to keep track of changes in compliance requirements. To ensure compliance with these changing privacy regulations, organizations usually complete the following types of assessments:
PIA can assist organizations to:
A Privacy Impact Assessment also demonstrates to stakeholders that the project has been designed with privacy in mind. Conducting a PIA is part of good governance and good business practice for organizations that deal with personal information.
DPIA is a process that helps organizations identify and minimize the data protection risks of a project. A DPIA enables organizations to incorporate data protection considerations into organizational planning and demonstrate compliance to regulatory authorities. Conducting a DPIA for any significant project that requires personal data processing is considered good practice for privacy compliance. In some cases, DPIAs might be a legal requirement. For instance, under Article 35 of GDPR, organizations must complete a DPIA for data processing projects that are likely to result in a high risk to individuals. A DPIA must include the following:
Organizations usually need to keep their DPIA under review. They may need to repeat it if there is a substantial change to the nature, scope, context, or purposes of their processing. Therefore, it would be right to say that it’s important that organizations embed DPIAs into their organizational processes.
Furthermore, there are other assessments like legitimate interest, cross-border transfer impact, etc., which organizations often complete to ensure regulatory compliance. Legitimate interest is the most flexible lawful basis for processing, but organizations cannot assume it will always be the most appropriate one. Therefore, organizations must conduct a Legitimate Interest Assessment to determine its appropriateness. A Legitimate Interest Assessment includes the following steps:
Under the GDPR, transfers of personal data to countries outside the European Economic Area may occur if these countries are deemed to ensure an adequate level of data protection. Therefore, the organization conducts Cross Border Transfer Impact Assessment which assesses individuals’ privacy risks and data protection risks arising from the cross-border transfer of personal data.
Organizations also conduct assessments to collect information that they use to create or enrich data catalog items with information from the assessment responses. Once they publish such an assessment, the information collected is added to the data catalog entry for the asset or process.
These assessments may also be updated regularly. Multiple stakeholders are usually involved in understanding gaps and tracking new controls that the organization must implement. For all these assessments, privacy teams, business owners, and auditors typically rely on word processing documents, spreadsheets, and simple forms that result in work that is inefficient and hard to monitor.