• Blog

A Framework for Privacy Risk Self-assessment

With the recent raft of worldwide privacy legislation and much more to come, organizations of all shapes and sizes are becoming forced to evolve the way they do business. Those SMEs that can’t bring their operations into compliance with the GDPR, CCPA and other data privacy laws worldwide will be at a significant competitive disadvantage, and may even find that continued non-compliant operation merely is unsustainable.

With the recent raft of worldwide privacy legislation and much more to come, organizations of all shapes and sizes are becoming forced to evolve the way they do business. Those SMEs that can’t bring their operations into compliance with the GDPR, CCPA and other data privacy laws worldwide will be at a significant competitive disadvantage, and may even find that continued non-compliant operation merely is unsustainable.

In this “adapt or die” scenario, the essential first step to getting compliant is for SMEs to perform a rigorous self-assessment of their present-state data operation.

There are three basic formats to self-assessment:

  1. Business units can analyze their practices.
  2. Different groups within the agency can review and analyze each other.
  3. A single appointed party can assess each unit in the business.

At Ethyca, we believe in empowering a Data Protection Officer to be a real focal point for all data-related business operations. So if scale permits, we recommend delegating full responsibility for the exercise to a DPO. Of course, each organization’s privacy self-assessment will be inherently different. However, the following aims to provide a framework that will serve as an excellent starting point for any business looking to evaluate its path to data privacy compliance:

First: Plan the Objective of the Assessment

Is your organization trying to determine whether existing policies ensure regulatory compliance? Deciding the specifics of what to assess is a critical first step.

Second: Conduct a Personal Information Inventory Check Across All Business Units

It involves answering the following questions:

  • What personal information does the business unit collect?
  • How do you collect personal information and in which situations?
  • Why do you collect personal information?
  • Who in the company uses personal information?
  • Who has access to it?
  • Where and how do you store personal information?
  • What methods are used to ensure it is secure?
  • Is it disclosed outside the company? If so, to whom and why is it disclosed?
  • How long is the personal information kept, and when and how is it disposed?

Only by answering these questions can businesses understand the work needed to bring themselves into a state of regulatory compliance. It’s vital to cross-check these answers against provisions in the GDPR, CCPA, and other relevant pieces of regulation by the DPO. Additionally, you should actively cooperate with internal or retained legal counsel proficient in privacy law. The exercise should result in a set of tasks or processes to accomplish to reach the desired level of privacy compliance.

Last: Review Past Privacy Complaints

Finally, we recommend reviewing privacy complaints as part of a privacy self-assessment. Especially those that have arisen in the recent past, three years is a sufficient window. It will give you insight into where potential privacy pain points exist between your business and the consumer. That way, you can pay extra attention to these areas as you’re revamping them to be regulation-compliant. So if your organization doesn’t keep logs of such complaints, we’d like to say congratulations! You’ve uncovered another process that needs revamping to survive in the new competitive landscape!

Published from our Privacy Magazine – To read more, visit privacy .dev

  • Ethyca announces fundraise, doubles annual revenue with new enterprise clients, and reveals new brand.

    Read More
  • Today we’re announcing faster and more powerful Data Privacy and AI Governance support

    Read More
  • See new feature releases enhancing user experience, adding new integrations and support for IAB GPP

    Read More
  • Learn more about the privacy and data governance enhancements in Fides 2.27 here.

    Read More
  • Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.

    Read More
  • Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.

    Read More

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!

Speak with Us

Sign up to our Newsletter

Stay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.