Any business that has customers. Any healthcare provider who has patients. Any professional who has clients. Any government agency that serves citizens. All collect personal information about individuals to one degree or another. (Hint: The degree doesn’t matter.)
Organizations collect Personally Identifiable Information (PII) in virtually every transaction that occurs for a commercial, governmental, or social purpose today. And after they collect it, they may also process, transfer, share, and store that information themselves — or with a third party acting on their behalf. (Hint: It doesn’t matter which.)
Every organization that possesses PII needs to conduct a privacy risk assessment periodically, beginning with a first-time or baseline assessment. For those governed by privacy regulations, it’s a must. For the rest, it’s just good business management.
Let’s look briefly at some of today’s most notable privacy regulations.
The European Union enacted a milestone law in 2016 with the General Data Protection Regulation (GDPR). This regulation governs the protection and privacy of individuals’ personal data in the European Union and European Economic Area (EEA), as well as the transfer of personal data outside these areas. One of its primary purposes is to simplify the regulatory environment for international business within the EU.
The United States has taken a slightly different approach to privacy protections, enacting industry-specific privacy laws, such as those for healthcare, financial services, and credit cards, for example. In addition, several states have enacted their own privacy laws, led by the California Consumer Privacy Act of 2018.
The first federal legislation in the U.S., the Privacy Act of 1974, established a code of fair information practices to guide federal agencies in maintaining personal data. The Act governs the collection, maintenance, use, and dissemination of personally identifiable information maintained in agency records systems, which may be databases or data processing ecosystems. The law derived from concerns that PII could be misused or mismanaged to the detriment of the individual.
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is sweeping, complicated legislation designed to regulate health insurance. In addition to provisions related to health insurance, the Act also addresses data privacy in its Privacy Rule. HIPAA applies to all healthcare providers who deal with Medicare, which includes virtually every hospital, medical center, and healthcare practice in the U.S.
Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) modernized the financial services industry and addressed concerns relating to the privacy of consumer financial information. The Act gave the Federal Trade Commission responsibility for enforcing the Privacy of Consumer Financial Information Rule, commonly known as the Privacy Rule.
In 2018, the State of California enacted a landmark piece of legislation called the California Consumer Privacy Act (CCPA). Its goal is to extend consumer privacy protections to include the Internet, and it is arguably the most comprehensive Internet-focused data privacy legislation in the U.S. today.
These and other laws and regulations were created to help protect the privacy of personally identifiable information that is collected in virtually every transaction that occurs for business, governmental, or social purposes — and which then may be processed, transferred, shared, and stored by the original collector or a third party acting on its behalf.
However, legislation is worthless without thorough implementation and consistent enforcement, and without penalties applied for serious violations. Demonstration of implementation begins with an assessment of an organization’s current state of compliance.
Section 208 of the Act requires that federal agencies assess all systems that touch personally identifiable information to ensure that sufficient data privacy protections have been implemented. The proscribed method is the privacy impact assessment (PIA).
The PIA applies to the entire data processing ecosystem. It applies to data systems that are developed in-house, and those that are purchased or leased. And it applies whether they collect, store, maintain, use, share, transmit, or otherwise manage or process the personally identifiable information.
A sample template of one agency’s privacy impact assessment specifies that an assessment should be conducted in the following scenarios:
The federal privacy impact assessment is comprehensive and well-considered, which is why its elements have been adopted by many private sector organizations.
In an effort to further formalize privacy management activities for organizations, including government and business, the National Institute of Standards and Technology (NIST) developed the NIST Privacy Framework.
The prevailing version 1.0 of this voluntary tool was introduced in January of 2020, and in less than a year the privacy framework has been adopted by more than a quarter of survey respondents, according to a report by the International Association of Privacy Professionals (IAPP) and FairWarning, a nonprofit investigative news organization.
The framework helps organizations in identifying privacy risks and establishing privacy risk management programs, including data privacy protections, throughout an entire data processing ecosystem. The NIST Privacy Framework is designed to:
Below is an outline of the first two levels of the NIST Privacy Framework structure, which is available in its entirety in PDF form on the NIST website. This outline helps to describe the scope of the framework.
Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
Develop and implement appropriate data processing safeguards.
The NIST Privacy Framework and the privacy impact assessment together form a solid foundation upon which to build a robust privacy risk management program, including a privacy risk assessment.
A good privacy risk assessment combines privacy impact assessment principles with the NIST Privacy Framework and other best practices to create a thorough view of the vulnerabilities that could compromise personally identifiable information within an organization.
A privacy risk assessment will identify and analyze privacy risks at the organization, application, and process levels to ensure a complete evaluation. It will assess existing as well as planned processes that touch personal data, whether collecting, transmitting, sharing, storing, or otherwise processing it.
Privacy risk assessments for healthcare providers, for example, will also evaluate privacy protections and privacy vulnerabilities through the lens of the HIPAA Privacy Rule. Similarly, privacy risk assessments for financial institutions will also evaluate protections and vulnerabilities through the lens of the GLBA Privacy Rule.
The same applies to privacy risk assessments for organizations in the payment card industry and others governed by specific privacy regulations.
A privacy risk assessment will also assist an organization in developing and implementing policies, procedures, and privacy controls to manage identified risks and meet compliance requirements.
Every organization that in any way touches personally identifiable information or other sensitive individual data, whether subject to formal privacy regulations or simply governed by good business sense, should schedule a privacy risk assessment to be completed before year-end.
Organizations collect personally identifiable individual information (PII) in virtually every transaction that occurs today, enabled in large part by the efficiency of the Internet and myriad software applications.
Many organizations are governed by data privacy regulations and laws, including federal agencies, financial services providers, healthcare organizations, and payment card processors. For regulated industries, as well as for others who desire to protect the privacy of individuals’ data, the NIST Privacy Framework and privacy impact assessment establish a solid foundation for a robust privacy risk management program and risk assessment.
Every organization that touches PII needs to conduct a privacy risk assessment periodically, beginning with a baseline assessment. For those governed by privacy regulations, it’s a must. For the rest, it’s just smart management.