Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and gaps assessment. In this article, we consider the value of a privacy assessment to your privacy compliance program. We describe the best way to do this assessment in order to optimise your organisation’s compliance program.
This article is part of our ongoing ‘Roadmap to Data Protection Compliance’ series which gives practical guidelines to businesses looking to comply with data protection laws. Previous articles in this series tackled initial training and sensitisation as a first step towards compliance and establishing a privacy governance framework as the second step.
What is a privacy assessment?
A privacy assessment is an analysis of how personal data is collected, used, shared, and maintained within an organisation. It is a risk management process that helps institutions identify the impact of their data processing operations on individuals’ privacy. Once data protection issues are identified, your organisation can develop remedial or mitigating actions to ensure compliance with data protection laws.
Why conduct a privacy assessment?
Privacy assessments give key privacy compliance stakeholders in your organisation a keen understanding of the personal data you collect and how it is processed.
Privacy assessments can serve you in the following ways: –
- identification of compliance gaps; through your assessment you can identify existing privacy risks at each stage of data processing and propose appropriate mitigation measures.
- as a tool for registration with data protection authorities; A privacy assessment is essential for registration as a data controller or data processor. It also promotes certain data protection principles such as data accuracy, data minimisation and data transparency.
- improving operational efficiency and increase profits; during this process you can identify and eliminate the duplication of roles or duplicate data which drive up processing costs. Privacy assessments also provide an opportunity to identify and monitise any underutilised data. Further, laying out the data flows in your business facilitates quick decision-making and better reporting on privacy matters.
- promoting awareness and understanding of privacy issues within the organisation; during the privacy assessment process and from the data map and gaps assessments developed, employees and other stakeholders gain a deeper understanding of their individual compliance obligations.
How to Carry out a Privacy Assessment
There are two steps to carrying out a privacy assessment. The first is data mapping. A data map is a complete record or inventory of all the personal data processed in your organisation. This inventory provides an overview of how the data flows from its initial collection to the point it is erased. For a more in-depth look at how mapping supports privacy compliance click here.
The second step is a gap analysis. This is a critical evaluation of all the data maps to identify data privacy gaps. In essence, you assess the extent of current compliance with data protection laws and regulations. You also identify the existing risks and data protection gaps in the processing of personal data in your organisation.
Some best practices for privacy assessments include:
- Compiling a checklist of all the privacy legal requirements your company needs to comply with. This ensures an all-inclusive privacy compliance program.
- Conducting fact-finding interviews with all the data processing departments in your organisation. During the interviews, you identify the type of personal data collected, the data subjects, the existing data security measures, any third parties with whom you share personal data, possible international data transfers and the data processors you employ.
- Additionally, perform quality checks on the information collected to guarantee data accuracy. To do this, go through all the data ensuring you eliminate duplicates and correct any inconsistent information.
- Also, consider automating the process to allow for regular updates and expansions. You can use a Microsoft excel sheet for this. Alternatively, you can employ a specialised privacy management software in the market; For example, OneTrust, IBM Data Risk Manager or Clarip.
- A privacy governance team is also essential in coordinating the assessment. The team is in-charge of establishing the scope, deadlines and resources needed for the project.
The privacy assessment process identifies all data protection gaps and privacy risk factors. We see how data has come into the organisation and how it moves, how it is used, how it is stored and secured and how it is finally erased. Your organisation can then implement the recommendations from the privacy assessment report, allowing you to develop an effective compliance program. Next week we continue with the ‘Roadmap to Data Protection Compliance‘ series by advising on the key policies required for data protection compliance.