With the introduction of a new privacy law in Iowa and the entry of five more privacy laws in 2023, the US privacy landscape is continuing to be an increasingly difficult space to operate in. Organizations in the US have a difficult task in navigating the various requirements placed upon them and one of the most complex areas of US state privacy compliance is understanding the ins and outs of Privacy Impact Assessments (PIAs). Not all states require them and there are different thresholds for when they should be conducted and what you should include.
It is also worth noting that while PIAs are not a strict requirement in all states, ensuring high-risk processing activities have been assessed through a PIA is considered a best practice and can help you to understand the impact and risk that your processing activities might have on the individual.
Keep reading to get a better understanding of what activities would trigger a PIA under different state laws, what to include in your PIA, and how you can approach conducting one.
What is the purpose of a PIA?
To fully understand the significance of conducting a PIA, it’s a good idea to first get a better understanding of what one is and what they do. A PIA is a process that helps organizations identify and evaluate the potential privacy risks and impacts associated with new processing activities, projects, or information systems.
The purpose of a PIA is to ensure that an organization has the information it needs from its different stakeholders to help design and implement new activities that involve personally identifiable information (PII) in a way that puts the protection of individuals' privacy front and center.
By highlighting potential risks, PIAs also help to identify ways in which these risks can be mitigated. And by documenting how your organization has approached minimizing the impact of individuals’ privacy, a PIA can serve as a record for demonstrating accountability with applicable laws and as an audit trail, should the regulators or attorneys aeneral come knocking. Additionally, it can helpi your organization achieve Privacy by Design.
When is a PIA required?
As a general rule, a PIA is required when the proposed processing activity presents a heightened risk to the privacy of individuals. This can include activities such as when new or novel technologies are present, monitoring consumer behavior, or making significant changes to existing systems.
However, certain state laws are more prescriptive about what specific activities require a PIA such as targeted advertising, profiling, or the use of sensitive information. This can be seen in Virginia, Colorado, and Connecticut.
California is less prescriptive regarding when a PIA is required but organizations covered by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) are required to submit regular risk assessments to the California Privacy Protection Agency (CPPA). This suggests that the threshold for ‘significant risk’ in California should be considered broader than in other states and highlights the necessity for keeping a record of assessments and responses. One of the key areas to be considered in Privacy Risk Assessments under the CCPA (as amended) is whether sensitive personal data will be processed.
Neither privacy law in Iowa nor Utah contains a specific requirement for conducting PIAs. However, as mentioned previously, PIAs should be seen as a best practice for organizations to adopt, regardless of whether the law dictates that it should be performed.
Even adopting PIAs as a best practice can be difficult when determining which processing activities and projects would require a PIA. Irrespective of law or best practice, a PIA should be conducted at the outset of any new activity or project. If you are unsure if a PIA is necessary, ask yourself these questions:
- What personal information am I likely to require?
- Is it classified as sensitive personal information?
- Who will have access to this personal information?
- Will you be using novel technologies such as AI?
- Will the information be used for profiling or targeted advertising?
If the answers to any of these questions lead you to believe that a high risk to consumers is present, you should conduct a thorough PIA to ensure all potential risks are highlighted and an action plan is developed to mitigate them. You may even consider developing or using a templated threshold assessment to help you determine the need for a PIA.
What to include in a Privacy Impact Assessment
When a PIA is required by a US state privacy law, there is one thing that they all have in common — a risk assessment should weigh the benefits of the project against the risks that it may cause to the individual. While this is a good starting point, Virginia, Colorado, and Connecticut are more granular with what is expected to be included in a PIA. These states ask organizations to ensure that the following criteria are assessed:
- The context of the processing
- The relationship between the organization and the consumer
- The reasonable expectations of the consumer
- The use of de-identified data
Moreover, to get a complete picture of the risk presented by your proposed processing activity, your PIA should include:
- Details relating to the activity (who, what, how, etc.)
- Information relating to the consumer (location, volume, age, etc.)
- Information relating to the personal data involved (source, anonymization/pseudonymization, sensitive data, etc.)
- Details relating to how you meet privacy principles (fairness, transparency, purpose limitation, etc.)
- Details relating to the lawfulness of processing (valid consent, transparent notice, etc.)
- Information relating to consumers’ access to their rights (privacy notices, non-discrimination, exercising rights, etc.)
- Details relating to data governance (access and security controls, etc.)
| CA | VA | CO | CT | |
| Balancing benefits against risks | X | X | X | X |
| Context of processing | X | X | X | |
| Relationship between controller and consumer | X | X | X | |
| Expectations of the consumer | X | X | X | |
| Use of de-identified data | X | X | X | |
| Privacy Impact Assessments are not a requirement in Utah or Iowa. However, they are considered a best practice regardless of requirement. | ||||
How to conduct a PIA
While completing a risk assessment might seem a straightforward task, there are several steps you need to take to effectively complete a comprehensive PIA that might not be immediately apparent.
1. Before starting a PIA, you’ll need to evaluate whether an assessment is necessary based on the details of the proposed activity. Start by describing the project in detail (this will also help later in the process).
2. Conduct a threshold assessment to understand whether risk is present and whether a PIA is needed. Use your data map to understand how personal data flows throughout the project from collection to use and storage, the purpose of the processing, and the types of personal data being processed. This will help you to highlight the areas where significant risk might be present.
3. If a PIA is required, you should first determine the scope of the PIA. This includes identifying which system owners, teams, and third parties will be involved, which information systems are being utilized, and what personal data is needed for the project to work.
4. Having determined the scope of the PIA, a standardized template should be sent to the relevant, identified stakeholders for their input. The assessment should be in clear and plain language to ensure that each team knows exactly what you are asking and that you receive the most accurate responses. For example, instead of asking, “What is the purpose for processing?” ask, “What is the business reason for using this data?”
Your assessment should include questions that help to identify privacy risks and vulnerabilities associated with the project or system, including any legal, ethical, or reputational risks. It should take into account how personal data is used or accessed at different touchpoints throughout the project life cycle and how the associated risks should be evaluated.
5. When you have received your responses, it's time for you to analyze them. This will help you to determine processes for mitigating risks including developing strategies to implement technical, administrative, and physical safeguards.
7. Document the PIA process and results and include an overview of the project or system, the data flow analysis, the privacy risks identified, and the mitigation strategies proposed.
8. Use this report to update your data map to ensure it is always accurate and creates an evergreen record, with the PIA being the ongoing point-in-time analysis of the processing.
9. Once the project is assessed, the process documented, and the mitigation strategy is outlined, you will need to act. Ensure you can implement the risk mitigation strategies you have outlined and monitor their effectiveness over time.
10. The final piece to the PIA is to set up a review and re-assessment cadence to monitor the effectiveness of your safeguards over time and as the project evolves.
How does OneTrust help?
There are a lot of steps when it comes to conducting a good quality PIA. In isolation, this wouldn’t be a problem, but once you factor in the multitude of other daily tasks and responsibilities that privacy professionals have to contend with, the PIA process must be streamlined.
Enter the OneTrust PIA & DPIA Automation tool that helps to automate and simplify the process of creating, distributing, and analyzing PIAs. OneTrust PIA & DPIA Automation allows you to define the assessment workflow from threshold assessment all the way through to review and re-assessment.
Get started by building, importing, or customizing assessment templates, or choose from over 250 available templates. OneTrust enables customizations, like incorporating business-friendly language and helpful tips. PIA & DPIA Automation also makes gathering internal responses and collaboration with third parties easy by sharing privacy projects with users in and outside of your organization.
As PIAs are submitted to the privacy office, risks are automatically flagged, and recommendations for remediation are provided. Risks can be flagged using a configurable heatmap, which includes their severity and likelihood of happening, and you can also manually flag them.
Match PIA & DPIA Automation with OneTrust Data Mapping Automation to maintain a complete record of privacy program activities, which may be exported as a full report for any project conducted by the privacy team to speed up internal and external audits. Data Mapping Automation can also help create data flow visualizations to help you understand exactly where personal data will be collected, used, and stored, as well as give you full visibility into what access controls, security safeguards, and retention policies have been applied to personal data.
