S1 E6: Making Data Privacy Impact Assessments Easier

Transcript

Making Data Privacy Impact Assessments Easier

Matt Cagle: Hi, everybody. Welcome to Compliance Pointers. I’m your host, Matt Cagle.

I’m joined by my buddy, Matt Dumiak, our Director of Privacy Services. Matt and I have had the pleasure of working together for 15 years. He knows a lot about privacy. We’re glad to have him here to share his insights.

There’s obviously been a lot of change in the privacy sector in 2023, particularly at the state level here in the US. We would need to have a whole podcast series to address everything that has happened in 2023. For the sake of time, we wanted to focus this a bit on data privacy impact assessments. I basically want to get your perspective for our listeners on what is a data privacy impact assessment and what tips would we have for our listeners on how to leverage those and do so hopefully in an efficient fashion.

Matt Dumiak: I think, to your point, it has been a really active year. I think 2023 was the most successful year on the legislative front for states to pass a privacy law. I think they’re starting to finally figure it out.

With that, we have actually seen that, we’ll just call them DPIAs for short, the majority of states are starting to have that requirement in their state law. It is very common at this point. I believe 10 of the 12 states have a data privacy impact assessment requirement. Three are only effective today, but it’s going to obviously expand over the next couple of years, and states are going to continue to pass privacy laws. I think the number is just going to continue to grow. It’s in basically in the vast majority of every state law, so it’s obviously a priority. Then we can talk a little bit about what they are, if that sounds good. I know we’re going to provide that base.

Matt Cagle: Yeah, so before we get into how to use them and how to do so effectively, what is are data privacy impact assessments?

Matt Dumiak: It’s a good question. The goal is to help organizations or businesses understand through doing a DPIA what risks are presented to the consumer through that processing activity. When we talk about a risk assessment or any type of assessment, traditionally, an organization or a business might be thinking about an assessment of their own practices and the risks it presents to the business.

A DPIA is a different way of looking at that. It’s the risks to the consumer when it comes to that processing activity.

Matt Cagle: For the non-privacy experts, perhaps such as myself, if I’m a company and I am capturing customer data, what type of event internally in my organization would trigger me to perform a DPIA?

Matt Dumiak: Yeah, and so it’s pretty broad triggers. There are pretty broad triggers, but just even backing up. Data Privacy Impact Assessments are required when a processing activity presents a heightened risk to the consumer.

Then these laws, what they’ll do is explain or outline very clearly what kind of activities would present heightened risk to the consumer. Some of those examples are things as broad as targeted advertising, which probably feels a bit under attack from these privacy laws, given there are a lot of obligations for organizations that are doing targeted advertising.

If an organization is processing sensitive personal information, things like health information, but we could go beyond that, like political alignment or sexual preference or anything like that that might be considered more sensitive than just your personal information.

If there’s a chance, and this is kind of broad too, but if there’s a chance that the consumer could be treated unfairly or deceptively, like a lot of organizations, they’re not looking to do anything like that. But I do think it kind of speaks to how broadly an organization needs to think about these processing activities and not just that it’s like, oh, we have a risk of a breach, but decisions that might occur around that data and then beyond that, just thinking about the harms that might come to that consumer if there is some type of adverse action.

Matt Cagle: Makes sense. So before I even consider a DPIA, first off, what data is my company collecting? How are we handling that data, processing it, et cetera? What are the elements that’s included in that data? And then I need to basically compare that to these various state requirements and obligations that you’ve mentioned to see, does that trigger the DPIA?

Matt Dumiak: Yeah, specifically the processing activity using that data. It’s going to be processing activity specific. So keeping that in mind too, I think is when we talk about kind of some challenges that organizations face is that’s also kind of broadly written. And so aligning that to your DPIA is really critical as well to make sure that it’s accurate.

Matt Cagle: And it sounds like, correct me if I’m wrong, right now, if I go through this exercise, I would have, is it two states that I would need to look at their requirements that are in effect?

Matt Dumiak: Yes, correct.

Matt Cagle: But it’s soon going to be perhaps another ten or so?

Matt Dumiak: Yes, exactly right.

Matt Cagle: I think we both agree that the remaining 38 states are likely to follow suit.

Matt Dumiak: Oh, of course. Yeah, you can look at these laws. They’re largely copycat. At this point outside of California, who’s going to be the pack leader?

Matt Cagle: So for looking at the processing activities, do you have examples you’ve seen from working with our clients of business situations that typically do trigger that?

Matt Dumiak: You know, we talked a little bit about them earlier just because they are so broad. But targeted advertising, if an organization has a website, they’re doing that, right? But if you’re talking about processing activities that might contain, if you’re doing a survey and you collect gender or any type of sensitive category of information, but anything like that.

Matt Cagle: So the elements laid out by these states, I guess my question is, as a company, what should cause me to want to reevaluate at that point if a DPIA is required? Could it be the acquisition of another company using a new third-party vendor, possibly a new campaign lead source?

Matt Dumiak: Yeah, that’s a great question. Acquisition of course would certainly undertake that. Any type you really want to set up, we really recommend our clients set up some type of threshold analysis.

So before triggering or undergoing a full-blown DPIA, which can be fairly comprehensive and very time-consuming, setting up some type of analysis or threshold analysis that would set kind of a shorter questionnaire or version of a DPIA to say whether or not a DPIA is required. And yeah, any number of those things may trigger that DPIA. New marketing activities, new vendors, acquisition of an organization certainly, but at that point they might have their own DPIAs and that’s kind of much broader. At that point you might require several Data Privacy Impact Assessments if it’s through an acquisition.

But yeah, any number of those things would certainly warrant at least understanding whether or not you need to do a DPIA.

Matt Cagle: So you, as an organization, have processes in place to evaluate those types of trigger events to determine does it change the data that’s in your possession, the way you’re handling it processing it?

Matt Dumiak: Very common these days, what we’re seeing a lot triggering a DPIA is like a chatbot going on the website and saying, okay, we’re using it for, see a lot more of the customer service space where it’s just helping consumers kind of get to answers quickly. It’s not really making a ton of automated decisions around that consumer or anything like that that might be risky at that point that you would say. But you’d want to evaluate that through a DPIA to ensure that, hey, what are we collecting? What are we doing with it? How are, a lot of times with any type of chatbot or something that may be beyond that considered artificial intelligence, those types of organizations and products are compiling or aggregating that information, making their own solution better, but might be making some decisions in the background depending on how they work. That’s kind of one that we see fairly common out there in the space.

Matt Cagle: So it sounds like an initial challenge in this area is just understanding whether or not a DPIA is required at the time.

Matt Dumiak: Yep, exactly.

Matt Cagle: If you come to the conclusion that you should conduct one, what are some other challenges companies should be on the lookout for?

Matt Dumiak: Yeah, and so these Data Privacy Impact Assessments that require a lot of information and so challenges our clients are facing are even finding the information because it can be broad, it can go across the organization. Like it or not, a lot of times the DPIA tends to sit in the privacy wheelhouse and so it’s the privacy team that’s shepherding those Data Privacy Impact Assessments along. Well, they might not know the ins and outs and the technology and the different systems and applications that might be in use with this processing activity.

Let’s talk about a website chatbot, at that point you’re talking about, okay, well, we have to talk to the website team, we have to talk to the IT team, we might need to talk to procurement. So even just getting the information can be a challenge because everybody’s busy and everybody has a day job, collecting that or compiling that kind of information may not be as easy as we think it is when we’re kind of going through that exercise.

And I think you can admit as the team that it’s going through it pretty quickly if you don’t know what the answers are, trying to find that sooner rather than later because again these things can be, the Data Privacy Impact Assessments can be fairly robust and very time-consuming. So getting to that information is certainly a challenge.

Matt Cagle: Okay, I know talking to you often our compliance and privacy clients are limited from a staffing and resource standpoint, it’s changing a bit, it becomes a higher profile in the space but beyond the challenges of gathering the information, perhaps having the support or bandwidth to do it. Any other common issues you see our clients having?

Matt Dumiak: Yeah, and we can even talk a little bit about how to overcome those two, but we talked about the requirements around the DPIA and when it’s required. So the broad triggers are certainly a challenge. I think that’s kind of, you know, it’s a different way of thinking about how an organization can go about processing personal information.

But then also what if you go through the Data Privacy Impact Assessment process and the processing activity is too risky? So kind of even, you know, when you’re going through the DPIA, it’s the goal is to understand the risk and mitigate the risk. So you can apply controls or mitigating measures if you find that, for example, you’re processing personal information and you’re transmitting it in, you know, unencrypted format. Right. Okay, well, let’s encrypt that data. Let’s mitigate that risk. There might be a time where you’re doing something through this DPIA where you cannot mitigate the risk and the organization really needs to at that point, it’s almost a culture switch a little bit of saying, well, we can’t do this processing activity. And at times for the business, that’s going to be tough to swallow. And so even that can certainly be a challenge because you are going to find that.

I think risk in general is somewhat of a challenging topic for some organizations because understanding what their appetite for risk is. But then also, how do you track risk? How do you treat risk? How do you understand what there might be, you know, kind of risk that remains? That is certainly a challenge for organizations to think through. And something we’re helping shepherd along is helping establish that appetite for risk and how to mitigate risk and how to learn, you know, what are we going to accept versus what are we going to have to, you know, either put a control around or not do.

Matt Cagle: I know we see this all the time with our clients where compliance, legal, those that have been tasked with this responsibility, obviously, it’s part of the job. They want to mitigate risk. Often the business has goals and mitigating that risk could impact their ability to hit those. So you might not always be getting that executive or leadership support. What are you seeing companies do when they have conducted the DPIA, they’ve identified that there’s a high risk of processing, but it’s pretty critical to their business operations.

Matt Dumiak: And it’s going to depend, obviously, per situation. Because it is so specific to the processing activity. But I mean, it’s implementing those compensating controls or, you know, at times we have to be, to be candid, you have to accept the risk at some level, too. An organization is going to find that with the Data Privacy Impact Assessment. If it’s that critical to the business’s goal or moving forward with some type of processing activity, they may just be willing to accept it. And oftentimes you can mitigate the risk. If that’s, again, through those examples we talked about, is it more transparency to the consumer? Is it giving them additional privacy rights and the ability to opt in or opt out of that processing activity? Is it some type of technical or security control?

A lot of times there’s kind of some core principles that you can operate behind with transparency and choice. Those can go a long way in mitigating a lot of the risk. But again, it might come down to, you know, working with the executive team to educate them on the situation and make sure that everyone’s on the same page that you’re accepting it as well.

Matt Cagle: And I think we’d both agree that you’re worse off knowing that you’ve got high risk and doing nothing about it than probably never being aware of that risk at all.

Matt Dumiak: You’re exactly right.

Matt Cagle: Once companies go through this exercise and indeed a high risk level, you’ve got to do something. Like you said, compensating controls, mitigate it in some form or fashion, at least have that paper trail showing you took a thoughtful approach and that you had a legitimate reason to continue with that.

Matt Dumiak: Well, exactly right. And another challenge that, you know, we’re not attorneys, so I don’t know the ins and outs of this, but in working with outside counsel, another challenge with these DPIAs and kind of very similar along the lines that you were just talking about, Matt, is ensuring that where it’s applicable that you have attorney-client privilege. And so that, you know, as these are living documents, as you’re completing them, maybe some things are finalized, like you need to ensure that maybe a draft DPIA is labeled as draft and, you know, final Data Privacy Impact Assessment should be accurate, comprehensive, needs to be the final version of whatever that process and activity is outlining all of those things that a DPIA requires, because what you don’t want to do is start balancing, oh, we have this one that identifies this risk, but doesn’t clearly identify that we mitigated that risk, right? And so even like working through that is really critical for sure.

Matt Cagle: So I want to talk about organizationally who you would need to involve in this exercise and what our clients can expect when they embark on this exciting journey. Before we move to any other challenges we want to raise for the audience.

Matt Dumiak: No, I think we’ve talked enough about challenges.

Matt Cagle: So segueing very gracefully into the topic of who you would want to include from the organization, right? If I’m charged with conducting these Data Privacy Impact Assessments and spearheading an organizational initiative, what departments, groups do I need to expect to include in that effort?

Matt Dumiak: So we’ve talked a good bit about the fact that these are broad and they require a lot of different pieces of information to complete one in a Data Privacy Impact Assessment. It’s a multidisciplinary approach. Of course, it’s a legal obligation. You would want to have your legal team involved. We talked a little bit about the tech team, IT, information security, they would likely be involved.

And then from an operational perspective, ensuring that you can get this thing across the finish line even, you may want to consider including your project management office, because you will need to shepherd this along, you’ll need to gather information from various groups and it just depends on the process and activity. It could be marketing, it could be HR, any type of department that is pertaining to the personal information processing activity would likely be involved with this Data Privacy Impact Assessment so you could get the information that you need.

But again, privacy team two is going to kind of sit on top to help reveal those privacy risks and assist with advising on how to mitigate those risks too.

Matt Cagle: So our clients have standing meetings or a committee that gets together periodically to see is it time to conduct a Data Privacy Impact Assessment? Do we need to add anybody else into this conversation? I guess how administratively, operationally, how do you stay on top of that?

Matt Dumiak: Some will have a committee. Others, if they’re more mature, will have a process of regularly either reviewing or onboarding and approving new processing activities, like it or not, a lot of times those are kind to vendors that might be a good place to start if you’re launching your DPIA, DPIA operational process but at that point it might be as simple as having some type of meeting or questionnaire that answer or ask a few of those questions that we’ve talked about and determining whether or not that DPIA is required so that it would be that trigger.

Again, some of the more mature clients we’re working with, that would be through some type of vendor onboarding process or processing activity or approval process that would automatically kick off a Data Privacy Impact Assessment and it has assigned parties and you can assign different parts of it. If you’re working from Excel or Word, obviously that’s going to be a little bit harder. The team is going to be kind of hunting down that information or sending it to the various business requirements but certainly the committee approach is one we see very often and again it might even sit with like procurement or something like that when the vendor or a new contract comes on board because that is typically tied to a new processing activity.

Matt Cagle: So as we put a bow on this, any recommendations you would have on how to make this process easier?

Matt Dumiak: Yeah, we have a good bit of those, absolutely. We’re always looking to make it easier for our clients, of course, as consultants.

Right, we don’t want to go by the old adage there’s a consultant that always you can pay to make the problem worse.

Certainly, I think, and we talked a little bit about this through our webinars and through our blogs and things like that too, I think oftentimes an organization wants to start with just a template. Hey, we’ll get a DPIA template and we’ll launch that. It’s going to be great. Not really realizing that the questions are pretty complex. No one knows how to answer those questions just yet and so kind of thinking about that a little like back it up a little bit before launching that template in this process would be looking at the requirements, looking at the benefits to the business and defining some success metrics around what a DPIA process would look like. Is it ensuring that you’re reducing risk to both the business and the consumer? Is it reducing vendor redundancies when you’re conducting these DPIAs and looking at the entire ecosystem and understanding what vendors are there and what they do, what they’re doing with personal information? That’s really critical.

I think education to the business and doing training. We’ve all been through that process or we’ve all been engaged in a process that may not impact our day-to-day business responsibilities and I think one of the first questions is why is this important? Why am I in this room? What does it mean to me? So really educating and training can go a long way. I think it gives some people some skin in the game as well because they know now at this point, like okay, there’s a process. I know what it means. I know why I have to do it. I know why it’s critical.

We are pretty fortunate that a lot of individuals within the business who aren’t even working within the data privacy space every day are interested in data privacy so you can certainly get volunteers in that front too as you’re going through the education and training process because people definitely want to help.

And then even going beyond that, okay, define success. You’ve trained, you’ve educated the business, ensuring that you establish a culture of accountability because these things, the Data Privacy Impact Assessment is going to take some project management and you’re going to need information and there should be deadlines set so that these things can continue to move forward and you can get the necessary information you need from the various business units you might be working with.

I think all those types of things are really critical in ensuring this is a successful process.

Matt Cagle: know we’re up on time, I guess any gotchas that you’d want to call out for the audience. Absolutely agree with any initiative like this education, support from executives and leadership to get that organizational buy-in is critical and standardization templates and so on. Any particular areas that would be a red flag for our clients or just anything that they should have on their radar?

Matt Dumiak: Yeah, that’s a good question. I think that the appetite for risk and then also managing enterprise risk are something that I don’t want to, that’s not an easy task and it’s not something easy to establish. And so I think that that goes back towards really ensuring that you have buy-in from the business and it could be that it needs to go up to the executives depending on company culture. We can’t speak for that today, but if it does, if it requires the board or the executive team to sign off on that, oftentimes what we hear is you go through the DPIA and when we come in to help an organization operationalize this, they’ve been doing it and they’re like, okay, we did this Data Privacy Impact Assessment, but now what?

Things might change or we found these risks and we don’t have a good understanding of how to treat risk and manage risk. Those types of things are a little bit of a culture change with an organization. So I’d say look out for that, especially because as we’ve talked about, these EPIAs have not traditionally been required in the United States. And so now all of a sudden with these state privacy laws requiring them, not only will the regulators expect you to know a little bit more about risk and how to manage it, but they could even request these Data Privacy Impact Assessments.

You may be required in California to submit an abridged version of them at the end of the year. So thinking through how you’re going to demonstrate that you are understanding risk, where you’re accepting it, where you’re treating it, where that rationale is, I think will be really critical.

Matt Cagle: I think that’s a new way at looking at data and data processing culturally, especially for your organizations that have been around a while with tenured executives. It’s a change in the mindset. And I think we’re seeing it have to happen out of necessity here rather quickly as these state laws evolve rapidly. And we’ve even seen some federal enforcement here not related to, unfortunately, US federal privacy laws to make everyone’s life easier, but particular enforcement from the FTC, where they have not been thrilled with the way that companies are capturing, protecting, securing their client data.

Well, Matt, thank you for your time. Thanks, everybody, for listening.

If you are not currently a subscriber, please hit that subscribe button on whatever podcast platform you prefer. And as a reminder, we are issuing episodes like this on a regular basis.

Should you need any support with your data privacy, data security, or compliance initiatives, please don’t hesitate to reach out to the team at CompliancePoint. You can reach us directly at connect@compliancepoint.com.

Thank you.