James Thew - Fotolia
What is a privacy impact assessment, and how do you conduct one? What effect can they have on enterprise security?
A privacy impact assessment is a review of how an organization handles the sensitive or personal data flowing through their systems. Through this review, the organization -- or potentially a hired third party -- will review internal corporate processes, procedures and even technology to determine how privacy data on users or customers is being stored, collected and processed. This is commonly seen within government agencies and sometimes within organizations storing large amounts of private data on their users or customers, like in healthcare, e-commerce or other industries.
Certain countries have stricter data privacy laws -- like those within the EU -- and depending on the jurisdiction of the data, there is potential for regulations to guide this process or even mandate it. Enterprises that perform a privacy impact assessment are typically trying to determine where the data is at risk of privacy exposure and create plans to mitigate or compensate the privacy deficiencies before there's an issue.
If an organization holds privacy information in its systems and is either privacy-aware or looking to adhere to regulation, it is always helpful to have this exercise start before a system or application is implemented. If the assessment is done after the fact, then it's harder to have changes, applications and processes reverted. It's not impossible, but it's helpful to have these suggestions and risks brought to the forefront before anything is pushed into production.
During this time, it's also helpful to determine the key stakeholders and business owners; the exact personal information that will be stored, collected and processed; what technology will be used; ways to protect privacy within the technology, such as encryption or tokenization; and how the data actually flows through the systems. Creating and mapping out data flows is a huge task and needs to be done in order to review the scope of the project, map systems and, at times, visually assist with understanding how the architecture works.
One thing to consider with such a heavy focus on cloud is what third parties are involved and how they protect the privacy of this data. How does your cloud supply chain put your organization's privacy at risk if they're not following the same standards?
When risks like this are found, they need to be documented and reviewed by the team performing the privacy impact assessment and given to the stakeholders responsible for remediating them. These report findings are determined after reviewing the application or systems with an impact analysis that is sometimes done with a questionnaire, interviews of those working with the system and in-depth technology review. The findings should be classified by risk, with suggestions for remediation.
Performing a privacy impact assessment doesn't particularly make the application or system more secure, even though this is possible; its main focus is to protect the privacy of the individuals whose data is being stored, collected and processed. The difference between privacy and security is subtle and many times goes hand-in-hand. With these assessments, we're more concerned with protecting how systems appropriately use the data under the laws and regulations to which they have to adhere.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to address privacy and security issues in Android VPN apps
Read what Whit Diffie has to say about privacy and security in internet of things
Discover new techniques for keeping cloud data private