*The following article is merely informational and is not intended to serve as legal advice. Please seek assistance from legal or professional counsel to better understand your or your organization's specific legal need.*
A Privacy Impact Assessment (PIA) is, simply put, a brief report on how your organization collects, uses, and stores what is commonly known as Personally Identifiable Information (PII). The PIA has become more prominent in recent years in the United States and in Europe, the General Data Protection Regulation (GDPR) imposes a requirement for companies to perform a similar assessment known as a Data Privacy Impact Assessment (DPIA).
What is Personally Identifiable Information?
At the root of the PIA is Personally Identifiable Information. Put plainly, PII is any data that can clearly identify an individual. Things like names, phone numbers, or email addresses universally fall under PII. It is important to note that as more governments enact legislation about data privacy, the definition of what falls into PII may change or vary from jurisdiction to jurisdiction.
What is a Privacy Impact Assessment?
Privacy Impact Assessments are an outlines of specific company systems and programs which collect any data that is personally identifiable. PIAs can be thought of as a type of disclosure to users about what specific types of data they can expect will be recorded from them, how that data will be used, and how that data is taken care of while in your organization’s possession.
PIAs offer a very important opportunity for organizations to take a step back and assess the risks associated with new ventures and operations that will collect data. A good PIA will give an organization a holistic understanding of exactly what data will be collected, and the costs associated with its collection. This insight plainly allows organizations to prepare for potential risk and offer the chance to mitigate before the new function is implemented.
Some factors that a good PIA will contemplate include relevant laws and regulations based on where the organization operates. It will also consider the full extent and adequacy of the storage and protection of the data, something that is often overlooked but vital to understanding risk. Like storage, organizations commonly overlook the risk associated with transferring data to third parties which should be contemplated in a PIA as well.
When is it required? (Data Protection Impact Assessments)
PIAs are a useful tool but are not necessarily a legal requirement. There are, however, similar types of disclosures that may be required by law depending on the user base of your organization. Data Protection Impact Assessments (DPIAs) are documents that are required by law in Europe in specific scenarios that depend on the activity being undertaken and the country. Like PIAs, DPIAs identify areas of risk, but DPIAs have a heavier focus on statutory compliance and risk mitigation.
Companies that collect any PII from residents of the European Union must comply with the GDPR. The statute is silent on what exactly qualifies as a risk that would require a DPIA and instead, each EU member state is responsible for publishing its own legal requirements. The common thread among the various country regulations includes any activity that processes particularly sensitive data, collects PII automatically or with the assistance of AI, and collection of data in large-scale quantities.
Currently, DPIAs are not a requirement of the United States federal government or any state government, however, the practice is still widely considered to be valuable, especially as many individual states begin to move towards enacting their own privacy laws, often modeled after the GDPR. It is important to note ast well that while DPIA is not explicitly required under the California Consumer Privacy Act (CCPA), there are certain disclosures and rights that users have over their PII which may resemble information used in the DPIA.
What’s at risk?
Noncompliance with current privacy law requirements for DPIAs can be costly and organizations should consult with experts to better understand their specific needs and risks. Under the GDPR, fines for minor violations can be levied as high as €10 million or up to 2% of the organizations previous year’s revenue. Under the CCPA, minor violations can vary from a small as $100 per violation to as high as $750 per violation. The CCPA also leaves the door open for actual damages and injunctive relief as the judge sees fit.
Keeping your Organization Compliant
Even if your organization is not required by law to file a DPIA, completing an assessment of particular systems use and collection of data is vital to effectively understand the risk your organization may face. Data privacy is becoming an inescapably important topic in the law and more than ever, consumers want to protect their data from breaches and leaks. Performing PIAs will ensure your organization is doing its part to keep its users' data safe and protected and offers the opportunity to correct business practices before it's too late.
The SHIELD Act requires any person or business owning or licensing computerized data that include the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The SHIELD Act will have far-reaching effects, as any business that holds private information of a New York resident—regardless of whether the organization does business in New York—must comply with the new law.
The political world can be vast and confusing, especially when it comes to laws that can affect your business. Luckily, Elroi is here to help and keep you both up to date and compliant! While we do not yet have a national data privacy law in the United States, state policies, such as the California Consumer Privacy Act, can still have major impacts on how you conduct business.