Privacy Risk Assessments: Yay Or Nay?
Here’s why you should always conduct privacy risk assessments.
Should you conduct a privacy risk assessment?
We do not recommend that you skip doing a risk assessment or Data Privacy Impact Assessment (DPIA/PIA) when you’re required to do so by a regulation or if you have the resources to do so. Privacy risk assessments act as a great warning system to detect privacy issues, minimize risk, and avoid costly mistakes in terms of privacy compliance. There is also strong evidence based on enforcement practice that suggests that by doing risk assessments, your organization shows its commitment to compliance.
At the same time, conducting general privacy risk assessments typically requires a lot of time, resources, and experience. Not every organization has this luxury, despite the benefits a privacy risk assessment brings. In a previous life, we recall these privacy risk assessments taking months to complete. For some organizations that don’t have a mature privacy program, it may be easier to allow their privacy team to focus on compliance efforts to build privacy controls versus assessing them.
“Privacy risk assessments play a critical compliance and business role in any organization.”
However, we found a solution that can address your needs if you need to conduct privacy assessments and you lack resources. Every organization these days needs to do data inventory. Inventory is kind of like an assessment; in other words, it’s a process where you review your assets and data life cycle. When you conduct a data inventory—which is the perfect time to interview your stakeholders, review your documentation, and document your assets, data life cycle, applicable controls, and all the other information required for that inventory—it’s also the perfect time to conduct a mini privacy assessment.
Since you’re already using your and your stakeholders’ time and attention, why not kill two birds with one stone? Utilize the data inventory process to conduct both a data inventory and high-level risk assessment. We recommend this approach because we’ve seen it work very well in practice. We’ve done it with clients, and the following results transpired:
-
The business side appreciates the respect they receive since they have a business to run.
-
The compliance team is happy because they feel much more informed about the privacy risks they need to address.
-
The executive team is pleased because they know the company is doing what it needs to do to drive the organization forward.
-
More importantly, you continue delivering value to your customers, which is the whole point of your business.
To summarize, privacy risk assessments play a critical compliance and business role in any organization. Don’t skip them, and find a smart way of doing them. There are many ways you can do this effectively, especially if you still haven’t done your data inventory. You’re long overdue for both so that you can understand not only what data you have to protect, but also where you have gaps and risks to address. Lastly, don’t forget that risk assessments will be required under California (CPRA) and Virginia law. Why wait? Start now.
If you have questions about risk assessment or data privacy and protection, don’t hesitate to reach out to us. We’d love to help you.
*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by Elena Elkina. Read the original post at: https://www.aleada.co/ask-aleada-blog/2021/4/9/why-we-recommend-conducting-privacy-risk-assessments-fy2az
