Data Assessments

Question 1

What is a Privacy Impact Assessment? (PIA)

Answer 1

A privacy impact assessment, or PIA, is an analysis that specifically assesses the privacy risks associated with processing personal information in relation to a project, product or service.

Requirements around PIAs may be mandated by industry, organizational policy, and laws and regulations.

PIAs can help facilitate privacy by design

Question 2

When should a PIA be conducted?

Answer 2

• Prior to deployment of a project, product or service that involves the collection of personal information
• When there are new or revised industry standards, organizational policies, or laws and regulations
• When the organization makes changes to methods in which personal information is handled that create new privacy risks

Question 3

What is a Data Protection Privacy Impact Assessment? (DPIA) What laws require this?

Answer 3

A data protection privacy impact assessment, or DPIA, has specific triggers and requirements under the GDPR (EU) and LGPD (Brazil). DPIAs are intended to help incorporate privacy considerations into organizational planning and demonstrate GDPR compliance

Question 4

When should I conduct a DPIA?

Answer 4

Triggers for conducting DPIAs include processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35) and the use of new technologies.

Question 5

What should a DPIA include?

Answer 5

DPIAs should include: a description of the processing, including its purpose, and including, where applicable, the legitimate interest being pursued; the necessity of the processing, its proportionality and the risks that it poses to data subjects; and measures to address the risks identified.

Question 6

What is “Attestation” in the privacy context?

Answer 6

Attestation is a self-assessment tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities. Once the privacy responsibilities of each department are documented, the departments may be asked specific questions about each responsibility.

Question 7

What is a Transfer Impact Assessment?

Answer 7

A transfer impact assessment, or TIA, is a new assessment to ensure an adequate level of data protection in a third country. TIAs consider the sufficiency of foreign protections on a case-by-case basis when data is transferred using standard contractual clauses (SCCs), binding corporate rules (BCRs) or other EU-approved data transfer mechanisms.

Question 8

What is a Legitimate Interests Assessment?

Answer 8

A legitimate interests assessment, or LIA, is a form of risk assessment and should be conducted when your personal data processing is based on legitimate interest. LIAs include identifying the legitimate interest and conducting necessity and balancing tests. An LIA demonstrates accountability and the lawfulness of your processing while confirming your compliance to the supervisory authority

Question 9

What is a privacy assessment? General what/ when/ who/ result.

Answer 9

Measures an organization’s compliance with laws, regulations, adopted standards and internal policies/procedures

Can be on a regular basis, ad hoc due to a privacy/security event, or at the request of an enforcement authority

Performed by an internal audit function, the DPO, self-assessment, or 3rd party

Results in documentation to upper management, analysis of results to improve & remediate program, monitor changes on ongoing basis

Question 10

At the time of a merger, acquisition, or divestiture, what checkpoints should privacy teams look at?

Answer 10

• Applicable new compliance requirements
• Existing client agreements
• New resources, technologies and processes (to bring them into alignment)
• Standards and sectoral-specific laws
• Comprehensive laws and regulations

Question 11

If a merger or acquisition means that you must transfer data to another controller, you need to:

Answer 11

• Ensure you consider the data sharing as part of the due diligence you carry out
• Establish what data you are transferring and document the data sharing
• Identify the purposes for which the data was originally obtained
• Establish your lawful basis for sharing the data

Question 12

What specific areas should I focus on when evaluating a cloud service provider?

Answer 12

certifications and standards, technologies, service road map, data management, information security, subcontractors and service dependencies, and data policies and protection.

Question 13

What are the common risks of working with vendors?

Answer 13

• Scope creep
• Process/quality standards
• Data breaches
• Oversight
• Laws and regulations

Question 14

What are the basics of vendor assessment?

Answer 14

Vendor assessment is the evaluation of a vendor for privacy and information security policies, access controls, where the personal information will be held, and who has access to it. Risk assessment should be extended to all areas of the business, including procurement. The same assessment process should be followed every time the organization considers using a new vendor