Q
Get started Bring yourself up to speed with our introductory content.

How does a privacy impact assessment affect enterprise security?

A privacy impact assessment can help enterprises determine where their data is at risk of exposure. Expert Matthew Pascucci explains how and when to conduct these assessments.

What is a privacy impact assessment, and how do you conduct one? What effect can they have on enterprise secur...

ity?

A privacy impact assessment is a review of how an organization handles the sensitive or personal data flowing through their systems. Through this review, the organization -- or potentially a hired third party -- will review internal corporate processes, procedures and even technology to determine how privacy data on users or customers is being stored, collected and processed. This is commonly seen within government agencies and sometimes within organizations storing large amounts of private data on their users or customers, like in healthcare, e-commerce or other industries.

Certain countries have stricter data privacy laws -- like those within the EU -- and depending on the jurisdiction of the data, there is potential for regulations to guide this process or even mandate it. Enterprises that perform a privacy impact assessment are typically trying to determine where the data is at risk of privacy exposure and create plans to mitigate or compensate the privacy deficiencies before there's an issue.

If an organization holds privacy information in its systems and is either privacy-aware or looking to adhere to regulation, it is always helpful to have this exercise start before a system or application is implemented. If the assessment is done after the fact, then it's harder to have changes, applications and processes reverted. It's not impossible, but it's helpful to have these suggestions and risks brought to the forefront before anything is pushed into production.

During this time, it's also helpful to determine the key stakeholders and business owners; the exact personal information that will be stored, collected and processed; what technology will be used; ways to protect privacy within the technology, such as encryption or tokenization; and how the data actually flows through the systems. Creating and mapping out data flows is a huge task and needs to be done in order to review the scope of the project, map systems and, at times, visually assist with understanding how the architecture works.

One thing to consider with such a heavy focus on cloud is what third parties are involved and how they protect the privacy of this data. How does your cloud supply chain put your organization's privacy at risk if they're not following the same standards?

When risks like this are found, they need to be documented and reviewed by the team performing the  privacy impact assessment and given to the stakeholders responsible for remediating them. These report findings are determined after reviewing the application or systems with an impact analysis that is sometimes done with a questionnaire, interviews of those working with the system and in-depth technology review. The findings should be classified by risk, with suggestions for remediation.

Performing a privacy impact assessment doesn't particularly make the application or system more secure, even though this is possible; its main focus is to protect the privacy of the individuals whose data is being stored, collected and processed. The difference between privacy and security is subtle and many times goes hand-in-hand. With these assessments, we're more concerned with protecting how systems appropriately use the data under the laws and regulations to which they have to adhere.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to address privacy and security issues in Android VPN apps

Read what Whit Diffie has to say about privacy and security in internet of things

Discover new techniques for keeping cloud data private

This was last published in June 2017

Dig Deeper on Data privacy issues and compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you find privacy impact assessments helpful? Why or why not?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close