October 19, 2017

Conducting your PIA and Data Mapping Exercise

Consider the following scenario:

A US-based data analytics company has recently gone through a tremendous growth stage. The company’s leaders have expanded their headcount, physical and technical infrastructure and their user base. With GDPR coming down the pipe, they need to understand if and how it applies to them and how they currently operate.

So, what is their priority? Creating a company data profile through a data mapping process and conducting a Privacy Impact Assessment (PIA) to understand where they may need to establish additional data protection controls.

First things first, to get to the PIA and prepare for potential tabletop exercises, the company needs to get the data mapping process underway.

We outlined these steps in depth in a previous article here, but let’s refresh our memories:

  1. Data identification and socialization
  2. Continuous improvement of the Data Lifecycle
  3. Data minimization and purge process

Conduct an Output Analysis

As you gather the mapping output from the various business areas, you will begin to understand what your data profile looks like at scale and at the unit level.  This is where the PIA kicks off.

Start with broad questions when evaluating:

  • Do we collect sensitive data? If we do, do we need it?
  • Where does our data reside?
    • Which third party hosts handle our data?
    • Do any managed services store or handle our data?
    • Is our data on-premises?
    • In which geographic regions does our data reside?
  • Are there any outliers or third party hosts we are omitting?
  • Is the definition of sensitive data in our environment based on a domestic, state or marketplace jurisdiction versus GDPR?
  • Are we aligning with the strongest member state baselines such as Germany and France?

Are we High or Low Risk?

The answers you learn from the above questions will inform your risk profile. The more sensitive the data, inadequately controlled by Role-Based Access Control (RBAC), encryption, or data minimization, the higher your risk and the more work will go into reducing your privacy impact.

Organizations focused on moving towards integrating both privacy and security controls into your programs should remember that data can be secured, yet still may come into conflict with privacy requirements if it is unnecessarily accessible or collected without consent.

Shadow IT and the PIA

An area that is hardest to spot and can be a large risk factor is shadow IT. Shadow IT revers to devices, personal machines and unauthorized services such as outside data analysis or research and development, that may not have approval to be on the network or house any personal data. During the PIA you should continually monitor all parties to see if any departments, individuals or satellite offices are operating outside standard protocols and channels.

Certifying these elements are addressed lowers your privacy risk as well as your general security risk.

Be Proactive

GDPR requires organizations produce processing activities to data subjects. This requirement should prompt you to look at your organizations roadmap and align any upcoming features, products and initiatives. Taking these proactive measures will serve your program well.

It’s important to follow a continuous lifecycle outlined in the strategic data mapping process. When doing so, consider the following questions:

  • We may be low-risk today, but does the road map highlight or indicate the collection of sensitive information?
  • How do we minimize this risk? Is the data crucial to providing this service, product or feature?
  • Are there alternative means or protections, such as encryption, that can be appended at the outset to ensure this risk vector remains narrow?

GDPR is a unifying legislation for the EU. It is the culmination of decades of work and in that respect, its breadth is expected. For some organizations this can be  daunting to address, but looking at your data profile and performing a PIA will help guide you in the direction of creating a Global Privacy and Security Program, the ultimate objective for the modern global organization. Don’t fear GDPR, embrace it. It has the power to truly transform your organization.

About the Author

Christina Whiting is the managing director of Compliance and Enterprise Risk at Tevora.

David Grazer is a consultant on the Compliance and Enterprise Risk Team at Tevora.