For over two decades, a privacy impact assessment has been an essential part of the privacy professional’s toolkit for understanding and mitigating privacy risks. In that time, there have been significant strides in automation of the PIA process.
Automated assessment tools can do a lot of the heavy lifting for you, but the design and execution of a system that manages PIAs still needs a human element to make the PIA process successful. Poorly designed PIA forms that are not in tune with organizational needs create roadblocks and slow down the overall due diligence process for any project that manages personal information.
Deciding on the tool to get the best result
For many privacy professionals, an automated tool may be better than using an Excel spreadsheet or Word Document for capturing privacy risks. The use of a tool depends on the volume of PIAs that an organization needs to complete, the resources available, and the types of personal information processed by the organization. Simple processing of personal information with few programs may not require a tool for managing PIAs.
When deciding on a tool, the key to getting the best result lies with the user, not with any individual platform. Automation comes with capabilities such as using the responses in the PIA to populate a data inventory, flagging risks that need to be mitigated, and programming to send follow-up assessments on an annual basis. They also typically have a “skip logic” feature, which allows the questionnaire to automatically hide questions that are no longer relevant based on responses previously provided. When implemented strategically, automated tools make the PIA process more effective, and something that stakeholders actually want to complete.
There are many considerations that go into the design and implementation of such a tool, including the structure of PIA questions and anticipating what standard responses to those questions should be. This consideration for ideal answers is often missing in organizations that do not have a mature PIA process.
Questions with a purpose
Every question in a PIA has to be crafted with a purpose in mind. There is either a regulatory requirement to address the issue raised by the question or another risk the organization needs to be aware.
Questions should focus on how information is collected, stored, used, what notices are provided to users and how long it is retained before it’s destroyed.
Too often, a standard set of questions is used, sometimes from another company or an altogether different industry. This is the wrong approach. It’s worth the time to ask only those questions that address your organization’s collection, retention, use, disclosure and destruction practices. Both the questions and the overall PIA process must be designed with the respondents in mind.
Think human when designing the PIA process
The first step to developing a more effective PIA process using automation is to “think human.” This step requires the organization to think about the respondents and those responsible for the process prior to developing the questions for the PIA and before implementing them in the tool. Ignoring this step gives rise to confusion, both from PIA respondents and those responsible for processing and reporting on PIA findings. Thinking human also means keeping the audience, your PIA respondents, in mind when drafting questions and building your PIA questionnaire. At this stage, it’s important to make note of the audience and craft questions that make this process as easy and clear for the audience as possible.
Privacy professionals should appreciate their audience’s vocabulary when posing PIA questions. Speak their language, and don’t fall into the trap of over-using technical jargon for a general audience. PIA respondents are more often than not understanding privacy from a business perspective, and not necessarily from that of a privacy pro. Factor in their limited exposure to privacy issues, and the scarcity of their time to tailor the PIA to their needs.
Train the trainers
Before building out the questions in the tool, it is imperative that the architect of the PIA process gets training on the tool to truly understand its capabilities. Architects should spend sufficient time with a new solution or tool to understand its features. Your sales representative should provide you with this guidance. Doing so makes it easier to anticipate and remedy problems that may arise in the deployment of the tool once it is in use.
Putting together a PIA in an automation tool is akin to building a dresser. Yes, it’s possible that it can be done without instructions and on intuition alone. However, it’s equally as likely that you will end up having to read the instructions anyway to figure out where you went wrong when you are holding that extra piece in your hand.
To ensure that the automation tool has the intended outcome, focus on understanding the tool’s capabilities and drafting effective questions that will give you the required information. Focus on tone, sentence structure and vocabulary that will most likely engage the PIA respondents.
Make the PIA questions as simple and clear as possible. Your organization’s newest team member can be an ally on this front. Ask them if your PIA questions make sense. A PIA shouldn’t only be understood by experts. Encourage this team member to tell you if the questions are easy to understand, what is unclear and what requires more explanation. After all, a PIA should tell a logical story, with subheadings to center the respondent. Don’t use abbreviations without explaining them. Clarity is key.
Developing training materials when creating or updating a PIA process
During the design process of the PIA, it’s important to consider whether your organization’s training materials address any questions that may come up. Does the team responsible for addressing any identified risks and all respondents to PIAs have the right support and understanding to complete this process as the architect intends? Be aware of differing levels of knowledge and awareness of privacy principles as you interact with others in your organization.
If the organization automates without educating its staff about how to complete PIAs, using that automation tool will cause more work in the future. For example, if the training doesn’t come either before or at the same time as the organization implements the PIA process, it’s likely that the users may not understand their role or the purpose of this process. As a result, the users may not know where they can find answers to questions or may not make it a priority to complete training and possibly forget about it altogether.
This highlights the importance of having instructions on how to complete a PIA readily available within your organization.
Conclusion
Anyone at your organization should be able to pick up a PIA report and understand five key points: (1) what the product is, (2) whether it uses personal information to achieve business objectives, (3) risks associated with the processing of that personal information, (4) the impact of that risk to the business, and (5) risk mitigation solutions.
Automated assessment tools can do a lot of the heavy lifting for you, but the organization needs to spend time planning and implementing upfront in order to get the best outcome from its PIA process. By “thinking human” and learning about all of the tool’s capabilities, the organization saves itself time going forward when it implements a well-designed and thought-out PIA.
The automation capabilities in these tools are strong, but they still need human supervision to deliver the best results for the organization. At the same time, humans need the right training and knowledge to ensure they’re doing the best possible job.
Photo by Testalize.me on Unsplash