- Introduction
- Basic Security Principles
- Data Management: Determining and Maintaining Ownership
- Data Governance Policies
- Roles and Responsibilities
- Data Ownership
- Data Custodians
- Data Documentation and Organization
- Data Warehousing
- Data Mining
- Knowledge Management
- Data Standards
- Data Lifecycle Control
- Data Audits
- Data Storage and Archiving
- Data Security, Protection, Sharing, and Dissemination
- Privacy Impact Assessment
- Information Handling Requirements
- Record Retention and Destruction
- Data Remanence and Decommissioning
- Classifying Information and Supporting Asset Classification
This chapter is from the book
This chapter is from the book
This chapter is from the book
Privacy Impact Assessment
Another approach for organizations seeking to improve their protection of personal information is to develop an organization wide policy based on a privacy impact analysis (PIA). A PIA should determine the risks and effects of collecting, maintaining, and distributing PII in electronic-based systems. The PIA should be used to evaluate privacy risks and ensure that appropriate privacy controls exist. Existing data controls should be examined to verify that accountability is present and that compliance is built in every time new projects or processes are planned to come online. The PIA must include a review of the following items as they adversely affect the CIA of privacy records:
Technology: Any time new systems are added or modifications are made, reviews are needed.- Processes: Business processes change, and even though a company might have a good change policy, the change management system might overlook personal information privacy.
- People: Companies change employees and others with whom they do business. Any time business partners, vendors, or service providers change, the impact of the change on privacy needs to be reexamined.
Privacy controls tend to be overlooked for the same reason many security controls are overlooked. Management might have a preconceived idea that security controls will reduce the efficiency or speed of business processes. To overcome such barriers, senior management must make a strong commitment to protection of personal information and demonstrate its support. Risk assessment activities aid in the process by informing stakeholders of the actual costs related to the loss of personal information of clients and customers. These costs can include fines, lawsuits, lost customers, reputation, and, ultimately, the viability of the company.