The How’s and Why’s Organizations Should Consider When Processing Personal and Sensitive Information.
By: Jerry McIver
Organizations use data every day, but often do not know how or why certain data is used. An organization may collect information on customers without knowing the risks involved. By running a proper privacy risk assessment, it will show the how and why of processing information, including the risks associated with the collection of data. Part of the privacy lifecycle is assessing an organization after personal or sensitive information is identified. Once organizations understand where this personal information resides they should assess the reasons for storing and processing such information.
What are privacy risk assessments?
Any time there is a collection of personal or sensitive information, an organization will face a risk in storing and/or processing this information. Though not exhaustive, risks can be security, administrative or technical in nature, and depending on the process and usage of the information, the organization will need to adjust its privacy policies to ensure safeguards are in place. Lowering the risks may include the implementation of data minimization principles, eliminating unnecessary collection and storage points, or using tailored role-based access to the data. A properly completed privacy risk assessment will show the risks of storing the data and where changes can be implemented.
A privacy assessment is typically used to look at the overall data privacy practices of an organization. These assessments typically consist of a series of questions, interviews, and surveys of the appropriate stakeholders of an organization. This could include a chief legal officer, a chief information technological officer, or a chief information security officer, but it’s not exclusive to any one individual or role, it’s driven by the actual action of the organization.
A comprehensive privacy assessment analyzes an organization’s compliance with its own privacy program, which would include external laws and internal policies. To begin a proper privacy assessment, an organization should consider what types of products and services they provide. If part of a product or service uses personal information as part of its ordinary processing, then that would raise a risk flag and there should be a more thorough assessment of that product or service, such as a privacy impact assessment.
Privacy Impact Assessment
Privacy impact assessments are focused on products, services, or events within an organization as they are flows of data, which would institute some risk. This analysis looks at how information is handled. It will need to ensure the handling of information is applicable to laws and regulations, determine the risks, and evaluate the protections and alternative processes for handling the information to mitigate the risk. Furthermore, privacy impact assessments may be required for certain regulations in certain circumstances, such as the GDPR.
In addition, organizations should run or update a privacy impact assessment for the following:
- A new product or service is offered
- A new or updated data management software is introduced
- Any change to the processing of personal and sensitive information
- An event within the organization or project that entails personal or sensitive information
- Any new regulation or law being introduced
The how and why of processing data
Organizations will often collect personal and sensitive information incidental to the actual usage. Once it’s determined that the company collects (or will collect) personal and sensitive information, it must determine why they are processing this information. Does this information serve the purpose of the reason it’s collected? Are there other alternative means of processing the data? Can the same service be performed if the data is not collected?
Questions to consider during a privacy risk assessment
Whether it’s a privacy assessment looking at the organization as a whole or a privacy impact assessment looking at the more specific products, services, or events of an organization, questions should be centered to extract the appropriate information for the assessments. Listed are just some of the questions that should be asked during each assessment, this is non-exhaustive and there will be overlapping questions between the assessments.
- Does the organization collect personal information on consumers or employees?
- How is information stored? (e.g., on an internal server, hard drive, cloud, etc.)
- What types of individuals do you collect and store information on? (e.g. employees, consumers)
- Are there third parties that help manage your data?
- Does the organization have an inventory of where the information is stored?
- Are there security safeguards in place such as firewalls, etc. to protect the information?
- What type of access controls are in place (who can access the information)?
- Are there retention policies (schedules) in place with regard to personal information?
- Does the organization have a contact person to handle inquiries for unauthorized access to data?
Privacy Impact Assessment
- Is there a certain service, product, or event that collects and stores personal and sensitive information?
- What personal information is being processed? (e.g., Social Security Numbers, Addresses, Driver’s License numbers, etc.).
- What are the reasons for processing such data?
- Does the individual have the ability to opt out of this data collection?
- Who will have access to this personal information?
- How many different collection points are involved? (e.g., web form, employee input, mass upload, etc.)
- What are the alternatives to collecting this information?
The how and why alternatives are important
Organizations will often collect personal and sensitive information incidental to the actual usage. Once it’s determined that the company collects, or will collect, personal and sensitive information, it must determine why they are processing this information. Some processes, such as importing massive amounts of data, or collecting vast amounts of personal and sensitive information should be highly scrutinized. This information can linger on an organization’s network, server, or stored as a backup, without its knowledge. Understanding why the information is being collected will help determine additional safeguards or reduce the amount of collection to mitigate risk.
The next important step is asking how this data is being processed. Data can move through different points in and out of internal databases from external sources, and vice versa. Each point the data moves will show the risk of its potential exposure and organizations should look at alternatives to the processing, such as limiting the data that is processed or processing the data separately in an off-line environment. Using a data minimization approach is one way to make sure the organization does not collect more than is needed to perform its service or product. Reducing the number of moving parts and highlighting each risk can show the most effective way to limit this information’s potential exposure.
How privacy risk assessments can change an organization’s privacy program
Privacy programs and policies should be ever-changing as technology and data privacy regulations are evolving. Privacy risk assessments show the weaknesses, unnecessary data collection, and the show the risk flags and levels. When it has this information, an organization should adopt new or update its existing privacy program and policies to match the processing changes resulting from the
If a risk is identified, an organization should use an alternative method or reduce the collection of personal and sensitive information. Once this process is down, it should be implemented into the organization’s privacy policies and employees should be trained on any change in processes that will affect their work. Moreover, organizations should continually audit their privacy program to ensure they are mitigating the risks found from the assessments. Risk assessments may only be part of the privacy lifecycle, but will affect all other parts of the lifecycle.
Get our no-cost risk questionnaire to assess your infrastructure capabilities and security needs.