APPS- 14 – Privacy Impact Review

What is this control about?

A Privacy Impact Review (PIR) is a systematic assessment conducted to identify and evaluate the potential privacy risks and implications associated with the collection, use, storage, and disclosure of personal information within an organization.

Available tools in the marketplace

Tools:

TrustArc Proteus-Cyber

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this template Privacy Impact Review Policy

Control implementation

Here are some guidelines to implement an effective records of Privacy Impact Review program:

• Establish a Privacy Impact Review Policy: Develop a policy that outlines the organization’s approach to conducting Privacy Impact Reviews. This policy should define the scope of the reviews, the criteria for triggering a review, roles and responsibilities, and the process for conducting and documenting the reviews.
• Identify Data Processing Activities: Identify the key data processing activities within the organization. This includes understanding the types of personal information collected, the purposes of the processing, and the systems or processes involved in the collection, use, storage, and disclosure of personal data.
• Conduct Privacy Impact Assessments (PIAs): For each data processing activity, perform a Privacy Impact Assessment (PIA) to evaluate the potential privacy risks and implications. This involves conducting a systematic assessment, identifying potential risks, and assessing the severity and likelihood of those risks materializing.
• Determine the Appropriate Methodology: Select an appropriate methodology or framework for conducting Privacy Impact Reviews. This may include using established frameworks such as the National Institute of Standards and Technology (NIST) Privacy Framework, or other recognized methodologies that align with organizational needs and compliance requirements.
• Identify Privacy Controls and Mitigation Measures: Based on the findings of the Privacy Impact Assessments, identify the necessary privacy controls and mitigation measures to address identified risks. This may involve implementing technical controls, revising policies and procedures, or enhancing employee training and awareness.
• Document Privacy Impact Review Reports: Document the findings, recommendations, and actions resulting from the Privacy Impact Reviews. This includes documenting the identified privacy risks, the rationale for decisions made, and the implementation plan for mitigation measures. The reports should be clear, concise, and accessible for stakeholders and relevant authorities.
• Incorporate Privacy by Design Principles: Integrate Privacy by Design principles into the development or modification of systems, processes, or products. This involves considering privacy from the initial stages of design and ensuring that privacy controls are embedded into the design and functionality of the organization’s systems and processes.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Privacy Impact Review Policy: A documented policy that outlines the organization’s approach to Privacy Impact Reviews. The policy should include the objectives, scope, roles and responsibilities, criteria for triggering reviews, and the process for conducting and documenting the reviews.
• Privacy Impact Assessment Reports: Documentation of completed Privacy Impact Assessments (PIAs) conducted for specific data processing activities or projects. These reports should outline the assessment process, identified privacy risks, potential impacts, and recommended mitigation measures. They should also include evidence of stakeholder involvement and decision-making regarding the identified risks.

Evidence example

For the suggested action, an example is provided below:

• Privacy Impact Review Policy

Leverage this template Privacy Impact Review Policy

• Privacy Impact Assessment Reports

Leverage this Privacy Impact Assessment Report