You and your team have worked tirelessly to build a new mobile app over the past six months. Several days before the big launch, you bump into a colleague who seems interested in your new high-profile initiative. She has questions about the types of information the app will capture and how it will be stored, analyzed, and shared. Just as you are about to go your separate ways, your colleague asks, “did you conduct a PIA?” to which you respond, “what is a PIA”? Suddenly your excitement is replaced by concern.
PIAs mitigate financial, legal, and reputational risk
A Privacy Impact Assessment (PIA) is a risk management process that analyzes how personal information is collected, used, shared, maintained, and secured before a project, product, or service is launched or substantially modified. The objective is to identify, record, and mitigate risks that may compromise the privacy of individuals or breach legal, regulatory, and policy obligations. Under certain circumstances, failure to conduct a PIA may result in substantial fines, lawsuits, and reputation harm.
Situations where a PIA may be required include:
- Launching a new product, service, app, or website
- Implementing a new operating procedure
- Making significant changes to an existing initiative
- Using geolocation, facial recognition, video surveillance, smart sensors, fingerprints or other tracking applications
- Comparing or merging databases
- Acquiring a business or asset
PIAs are not new to the public sector
PIAs are not a new concept in the Canadian public sector. If you have been involved with federal, provincial, or municipal government initiatives that carry potential privacy risks, you’ve likely been exposed to a PIA. Depending on the government agency and jurisdiction, PIAs are encouraged or required, as is the case with the Treasury Board Secretariat’s Directive on Privacy Impact Assessment. Recent amendments to British Columbia’s Freedom of Information and Protection Privacy Act (FOIPPA) now require covered public bodies to conduct PIAs, under certain circumstances.
The private sector should take notice
Organizations covered under the European Union’s General Data Protection Regulation (GDPR) have been required to conduct Data Protection Impact Assessments (DPIAs) for potential “high risk” scenarios since 2016. Failure to comply with GDPR may result in monetary penalties of up to €20 million or four per cent of global revenue (whichever is greater). Total fines issued by regional data protection authorities have surpassed €1.3 billion (US$1.5 billion) since enforcement began in 2018.
Starting in 2023, Quebec’s new Privacy Legislation will require businesses to conduct PIAs prior to the acquisition, development, or redesign of an information system or electronic service delivery project involving the collection, use, disclosure, retention, or destruction of Quebec citizens’ personal information. Severe repercussions could be in store for those who don’t comply. Private sector offenders may incur administrative monetary penalties of up to the greater of C$10 million or two per cent of worldwide revenue and fines related to penal offences of up to C$25 million or four per cent of worldwide revenue. Since Quebec accounts for nearly one-quarter of Canada’s population, these regulatory changes will have far-reaching effects.
Seven essential steps for any PIA
PIA regulatory requirements and recommended frameworks may vary by jurisdiction, industry, and the type and sensitivity of data processed. Despite these differences, the following seven steps should be incorporated into any PIA program.
- Assess the need: First off, you should determine whether your initiative involves processing personal or sensitive information. This typically includes any information that can be used to trace an individual’s identity, either directly or indirectly, such as their name, identification numbers, email address, biometric data, or IP address; however, it may vary by regulation. If the answer is “no,” a PIA is likely not required. If the answer is “yes,” you will need to confirm if privacy regulations or your internal policies require a PIA. You may decide to conduct a PIA to mitigate privacy risks despite these obligations.
- Assemble the team: Once the decision is made to proceed with the PIA, the program manager will need to recruit subject matter experts to support the effort. For example, the PIA for a new app may consist of product, technology, security, legal, compliance, marketing and service delivery representatives. It is strongly recommended that the team include an internal or contracted certified privacy professional to help guide the process.
- Describe the initiative: Clearly define your initiative in simple terms, including its purpose, benefits, deliverables, timelines, stakeholders, covered regulations and policies, and what is in and outside of scope. It is essential to describe the type and way in which personal information will be processed, as well as the legal basis for doing so. Include details about systems and technology required for information processing as well as access permissions.
- Categorize data and its movement: Each data type should be classified according to the level of sensitivity and potential risk if it were to be compromised. Create a visualization of how personal information will be collected, used, retained, shared, secured, and disposed of at each step, both internally and externally. Pay special attention to cross-border data transfers that may trigger additional regulatory requirements as well as the need for data processor agreements.
- Conduct a privacy impact analysis: At this stage, a complete understanding of risks that could jeopardize an individual’s privacy should be identified, including those which may breach privacy regulations or internal policies. To simplify the process, consider drafting a list of risks and rank them based on likelihood, privacy impact to affected individuals, and impact to your organization, should they occur.
- Identify risk mitigation strategies: With a clear view of risks and impacts now in place, it is important to document how each will be eliminated or mitigated. These strategies may include removing, minimizing, anonymizing, or de-identifying data. Consider including additional safeguards such as introducing new processes, technology, or education programs. Risk acceptance may vary by organization, depending on risk exposure, priorities, resources, and other considerations. Each strategy should define ownership, responsibilities, budget, and execution timelines.
- Publish the PIA report: The final step is to summarize the project, objectives, privacy risks, privacy impacts, action plan, dependencies, and timelines to seek approval from decision-makers. The report should be drafted in easily understood terms and avoid jargon. Certain sectors may require additional approvals from regulators or other third-party governance authorities.
Some initiatives may require support from information technology and security experts to conduct a Security Threat Risk Assessment (STRA) to accompany the PIA. An STRA helps organizations identify and mitigate potential threats that may compromise the confidentiality, integrity, or availability of information.
Once the initiative is implemented, ongoing monitoring should be put in place to flag privacy risks. Events that may warrant revisiting the PIA include new regulatory or internal policy obligations, program performance issues, substantial changes, or risks not otherwise considered or adequately evaluated.
While these are the essential components for any PIA, initiatives may vary in complexity and depth. Therefore, no one PIA is the same. Given what is at stake for organizations that breach privacy regulations and customer trust, consider engaging a privacy expert to assist with the effort.