Privacy Impact Assessments
Privacy Matters will help you embed privacy practices into your projects, programs, or services from the outset.
A privacy impact assessment (PIA) is a critical risk management and compliance tool that every organization should have in their toolbox. It does not matter if your organization is a public- or private-sector business: PIAs mitigate financial, legal, and reputational risk.
PIAs involve a step-by-step review process and are used to determine the impact of a program or service on individuals’ privacy. It analyzes how personal information is collected, used, shared, maintained, and secured before a project, product, or service is launched or substantially modified. The objective is to identify, record, and mitigate risks that may compromise the privacy of individuals or breach legal, regulatory, and policy obligations.
PIAs are not new to public-sector organizations in Canada. In fact, amendments to British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) now require covered public bodies to conduct PIAs. The private sector should take notice, though.
PIAs can be a daunting and intimidating process. Let Privacy Matters take some of that stress off your shoulders and let our experts do what they do best. We can help you work through and write specific PIAs, or help you develop in-house templates and provide PIA-specific training for your staff.
PIA FAQs
-
Situations where a PIA may be required include:
Launching a new product, service, app, or website
Implementing a new operating procedure
Making significant changes to an existing initiative
Using geolocation, facial recognition, video surveillance, smart sensors, fingerprints, or other tracking applications
Comparing or merging databases
Acquiring a business or asset
-
Private sector organizations are not required to complete PIAs unless you are working with public sector organizations.
However, the privacy regulatory landscape is changing in Canada. Canada is moving from an ombudsman model to an enforcement model that mirrors the E.U.’s GDPR. Under the GDPR, organizations are required to conduct Data Protection Impact Assessments (DPIAs) for potential “high risk” scenarios. To date (2023), failure to comply may result in monetary fines of up to €20 million or four percent of global revenue (whichever is greater). Since enforcement began in 2018, total fines have surpassed €1.3 billion.
Canada is about to follow suit. Quebec’s new privacy legislation (starting in 2023) will require businesses to conduct PIAs prior to the acquisition, development, or redesign of an information system or electronic service delivery project involving the collection, use, disclosure, retention, or destruction of Quebec citizens’ personal information. Administrative monetary penalties will be up to $10 million or two percent of worldwide revenue, and fines related to penal offenses of up to $25 million or four percent of worldwide revenue.
The proposed amendments to Canada’s privacy laws also include elements of PIAs requirements as well. Change is coming down the pipes - now is the time to prepare.
-
PIAs do not need to be complex or time consuming, but they must be thorough. The complexity of your PIAs is dependent on the complexity of the project in question. Generally, the process begins with a preliminary analysis where we will gather as much information about the project or service in question. This may involve working with different members of your team to get a more fulsome understanding of the project, data and information flows, and business practices. We will then complete a multi-jurisdictional legislative analysis depending on the scope of your business. Once this is complete, we will provide a list of risks and mitigation strategies.
It is important to note that PIAs should be considered “living documents” that will need to be updated and revisited as the project changes in the future. Drafting PIAs is also an iterative process so you can expect that we will be working closely with you and the various business units on an ongoing basis until the PIAs are complete.
-
Your business should determine who will coordinate and carry out the PIA. Depending on the complexity of the project and the availability of staff with the necessary expertise within your institution, you may need to hire externally. This is where Privacy Matters can step in.