Complete Your Privacy Impact Assessment (PIA) to Ensure Compliance With Varying Laws

Privacy law is changing constantly, and statutes differ across state and national borders. While ensuring your company's compliance with this patchwork regulatory landscape may feel overwhelming, one initial action will help you stay on safe legal ground.

First Step to Take

The privacy impact assessment (PIA) is a process for assessing and ensuring compliance with applicable legal, regulatory, and internal policy privacy requirements. The law does not prescribe how to conduct this assessment, leaving companies free to use whichever method is reasonably designed to yield the proper results. In other words, as long as the selected PIA method enables your company to: (1) promptly identify risks and the likely effects of processing personally identifiable information (PII), and (2) evaluate existing and possible mitigation measures, then the selected PIA method should be legally acceptable.

Companies that have a track record of doing business in the European Economic Area, Switzerland, or the United Kingdom are already familiar with the PIA, as this is a requirement under the General Data Protection Regulation (GDPR) and similar laws. In the United States, however, this is a relatively newer requirement. Some U.S. state privacy laws (California, Colorado, Virginia, and Connecticut) have begun embracing the PIA, but others (such as Utah) have not. Unfortunately, this makes it more difficult to assess compliance.

Tips for Compliance

One of the best practices to deal with the challenge of conflicting privacy laws by jurisdiction is to opt in to a most-restrictive policy approach. Under this, your company opts to comply with certain provisions that, while they are not required within the geographical scope of your sales and marketing activities, still make sense from an operational perspective.

Alternatively, your company can opt to conduct a state-by-state determination and fashion its compliance policies and procedures accordingly. However, because the PIA is a proven and useful method for identifying and promptly mitigating risks associated with data processing activities (including, collection, use, retention, security, and disposal), the case for using it is a strong one.

Does My Company Need a PIA?

Not all data processing activities require a PIA. For example, if your company is not processing PII, there is no need to conduct a PIA. Companies can also opt to conduct a PIA only where the data processing activities involve higher risk. Colorado, Connecticut, and Virginia laws, for example, require data owners (referred to as “data controllers”) to use a PIA for high risk processing activities such as targeted advertising, sales of PII, and financial services. California does not yet define the type of processing activities that require a PIA, except that it notes that it should be used where the processing presents a “significant risk” to consumer privacy or security; this will likely be clarified as time goes on.

Is It Worth the Time and Expense?

Implementing a PIA culture into your company can be a time-consuming task. But the benefits of increasing operational efficiency, lowering your company’s risk profile, mitigating complaints involving the processing of PII, and generally enhancing public trust in your company’s handling of PII likely outweigh the costs.

How Did We Get Here?

The first comprehensive state privacy law was introduced by California in 2018 in the form of the California Consumer Privacy Act (CCPA). It was not long before more states followed suit. Today there are eight more privacy laws to contend with and 12 more working their way through the legislative process.

We Can Help

Maslon can help your company implement a PIA on a case-by-case basis or with a broader policy level approach.