Privacy Impact Assessments – From Good Practice to Mandatory

Privacy Impact Assessments – From Good Practice to Mandatory

In an era dominated by digital interactions and evolving privacy compliance requirements, risk assessments, in the form of Privacy Impact Assessments (PIAs) become crucial. A PIA is a systematic and comprehensive evaluation of the potential risks and impacts on privacy associated with the collection, use, and disclosure of personal information by an organization. It serves as a proactive measure to identify and address privacy risks, ensuring that data handling practices align with legal, ethical, and organizational requirements.   

Transparency and Accountability

PIAs promote transparency by ensuring that organizations are open about their data processing activities. By conducting a PIA, organizations demonstrate their commitment to accountability and responsible data stewardship. This not only strengthens consumer trust but also helps organizations adhere to legal and regulatory obligations.  

Risk Mitigation and Privacy-by-Design

PIAs enable organizations to identify potential privacy risks before implementing new systems, technologies, or processes. By conducting a thorough assessment, organizations can adopt a privacy-by-design approach, integrating privacy considerations at the earliest stages of development. This approach minimizes privacy risks and reduces the likelihood of data breaches or privacy complaints.  

Regulatory Requirements to Conduct PIAs in the United States

In the United States, each state is similar but different when it comes to requirements to conduct privacy assessments. Let’s look at the states whose privacy laws are already in force or that come into force this year. Under the Utah Consumer Privacy Act that goes into effect December 31, 2023, businesses are not required to conduct data protection assessments or risk assessments related to their processing or control of personal data. However, there is language that implies that risk assessments should be done. Meanwhile, under the California Consumer Privacy Rights Act that applies to personal information collected after January 1, 2022 and that went into effect January 1, 2023, businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the new regulator in the state, the California Privacy Protection Agency (CPPA).

Under the Virginia Consumer Data Protection Act which also started applying to processing activities as of January 1, 2023, data protection assessments are required only under certain circumstances such as when processing personal data for targeted advertising; selling personal data; processing personal data for profiling under certain circumstances; or processing sensitive data. Similarly the Colorado Privacy Act and the Connecticut Data Privacy Act, both taking effect on July 1, 2023, require an assessment to be conducted if the processing of personal data presents a heightened risk to consumers. 

Regulatory Requirements to Conduct PIAs in Canada

Unlike a risk-based approach in the U.S., PIA requirements in Canada are based simply on whether personal information is involved. Although this removes the subjectivity in determining foreseeable risk and a dependence on organizational risk tolerance, a blanket requirement is incredibly onerous. Thus, prioritizing PIAs based on level of risk (e.g. a significant amount of data is being processed or the data is sensitive) is practically necessary. 

Note that although public sector institutions are familiar with PIA requirements imposed upon them by privacy regulators (and in the case of federal agencies, the Treasury Board Directive), reference to any requirement to conduct a PIA are non-existent under Canadian private sector privacy laws. However that is about to change. Requirements coming into force September 22, 2023 under Quebec’s Law 25, the Privacy Legislation Modernization Act, include:  

  • An obligation to conduct a PIA before engaging in an acquisition or development project or the redesign of an information system or electronic service delivery system involving the collection, use, disclosure, conservation or destruction of personal information; and  
  • An obligation to conduct a PIA before communicating personal information outside of Québec to ensure that adequate protection will be afforded to the information in the receiving jurisdiction.

Meanwhile, under Bill C-27, the Consumer Privacy Protection Act that is slated to replace PIPEDA, organizations relying on the legitimate business interest exception to consent will be required to complete a privacy impact assessment and to provide copies of the assessment to the Commissioner on demand. Although this requirement seems quite limited, the CPPA does require organizations to have a privacy program in place, and arguably ensuring personal data processing triggers a PIA process is becoming more widely acknowledged as critical to an effective program. The House of Commons Standing Committee on Industry and Technology will begin their review of Bill C-27 in the Fall of 2023.

PIA Tools and Resources

There are many tools available to privacy teams as they consider conducting PIAs consistently and systematically. And don’t ignore leaning on resources made available internationally by privacy regulators, For example, I attended an IAPP Toronto KnowledgeNet event on May 18th discussing contexts in which the PIA software tool developed by CNIL, France’s privacy regulator, could be of significant benefit. I am convinced it would be highly useful for small to mid-sized businesses in conducting PIAs. 

The importance of a practical risk-based approach to privacy compliance means the need to conduct effective PIAs will only grow. Contact PRIVATECH for assistance with your privacy risk assessments or to gain a better understanding of your privacy compliance obligations.