Every day I speak with clients about a number of different privacy related matters. However, the one that has become most prominent is setting up or running privacy impact assessments. PIAs are a tool used to identify the potential privacy risk from any existing or proposed activity, product, system. The end goal is then mitigating these risks. However, experience has helped me to understand that the greatest weight of this process is placed in the implementation and setup.
A PIA process can be completed in a number of ways. Some companies simply use a spreadsheet or proprietary form to handle PIAs. This is doable for organizations handling less information or with a less formal privacy program, but larger organizations require more assistance. Most companies decide to utilize a prebuilt platform or application. I have used both the TrustArc and OneTrust PIA platforms to perform a few assessments and learned that both benefit from a strong start.
By defining systems, applications, vendors, or inventories within these tools, you greatly boost the effectiveness of your PIAs. You can now identify risk based on a particular system being used, the vendor utilized, or how information moves through your organization. Spending time up front multiplies the effectiveness of the assessment. In some cases, you can build out a risk registry to learn what risks are inherent to processing activities and address them more efficiently.
When your organization starts to investigate the use of a PIA system, take the time to review your options, but also consider how implementation will be managed as well. Perhaps another group or vendor can assist in implementation. A good implementation can reduce the cost by thousands in time saved.