Privacy Impact Assessments
Ensure privacy is not an afterthought.
Whether you’re in the public or private sector, PIAs are one of the most common tools for organizations to demonstrate that they have done their privacy due diligence on a new project or system. Though PIAs are common practice, they can require a lot of effort and expertise to complete efficiently and accurately.
For public bodies or highly visible projects that deal with sensitive information, these documents are often submitted to regulatory bodies for review prior to allowing projects to move forward. PIAs analyze a lot of details about your project including what type of data is being collected, used, or disclosed and determining whether or not those activities are compliant with the applicable privacy legislation.
The final product of a PIA also involves a comprehensive list of privacy risks and mitigation strategies to demonstrate to regulatory bodies that you take these risks seriously.
Get your PIA completed by an expert
PrivacyWorks specializes in writing PIAs and our team completes hundreds of these documents every year for organizations across Canada. Our consultants will use their decades of experience in writing PIAs to guide you through this process from kick-off to sign-off to ensure your project is successful and on time. We can help your team by coordinating with regulatory bodies and providing comprehensive advice through the entire process to ensure you’re meeting requirements without over-burdening you and your team.
For new and sophisticated privacy teams alike
For those organizations that already have a dedicated privacy team, a common challenge is simply keeping up with the workload of PIAs that need to be completed on various projects. Our team of Senior Privacy Specialists can offer on-demand assistance to help clear any PIA backlogs that are burdening your team. With our experience in completing hundreds of different PIAs, our team can jump in at a moment’s notice and you can be confident that you will receive a professionally completed PIA on your project.
FAQs
-
In Canada, most public sector organizations are required by law to complete PIAs on any new process, project, or tool that is being implemented and may deal with Personal Information. Private sector companies usually aren’t required to complete PIAs unless they will be interacting with a public sector organization, however, some companies adopt PIAs as a standard operating procedure promote privacy compliance as a best practice within their organization.
-
PIAs can vary widely in their complexity depending on the system, players involved, and information collected. On average, PIAs often take 1-2 months to complete, however, we rely heavily on getting relevant information from the client to ensure we can complete the PIA in a timely manner.
-
For any PIA, we start off with gathering as much information as possible about the project. Any agreements, policies, procedures, contracts, etc… are analyzed to gain a clear understanding. For all remaining gaps or if there is minimal to no documentation, we conduct interviews with Subject Matter Experts to complete our understanding. Finally, we map out all business and data flows, conduct a legislative analysis, and provide a comprehensive list of risks and mitigation strategies.
-
PIAs are completed as a snapshot in time and it is reasonable to expect that your project or solution may change in the future. If the changes are not too substantial, we can incorporate updates into a PIA Addendum in order to not complete a entirely new PIA.
-
PIAs can certainly be completed internally, however, they are extremely resource intensive and require a certain level of expertise that you may or may not have in house. We help organizations complete PIAs for one of a few different reasons:
Their team doesn’t have enough time to complete a PIA.
Their team doesn’t have the required expertise.
They want to have an unbiased 3rd party complete this assessment to avoid any questions or concerns about the legitimacy of the document.
-
Risks will always be a part of the game. Depending on the severity, your organization may be comfortable with accepting these risks. Otherwise, we will help you develop mitigation strategies to ensure a roadmap is in place to address these risks.