The Ultimate Guide to Privacy Impact Assessments for CPRA

What is a Privacy Impact Assessment?

A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.

A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.

These assessments became crucial in most data privacy regulations after the GDPR introduced the Data Protection Impact Assessment (DPIA) under Article 35.

Per the official GDPR text, organizations are required to carry out comprehensive data protection impact assessments,

“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons….”

Such assessments aim to test how robust and effective an organization’s privacy practices are. The assessments judge an organization’s data processing capabilities, the legitimate interest pursued by the controller, as well as all the safeguards, security measures, and mechanisms to ensure the protection of personal data.

These data protection impact assessments are carried out under the direct orders and supervision of the organization’s Data Protection Officer (DPO).

What are the Benefits of a Privacy Impact Assessment?

Of course, like any business practice, an organization would want to know how exactly they are benefiting from a PIA. Some of the benefits an organization can expect are the following:

• Allows an organization to identify and resolve data protection-related risks and problems;
• Evaluates the privacy viability of any new data collection-related mechanism/practice;
• Minimizes the risk of data breaches;
• Minimizes the chances of data being misused;
• Aids an organization’s overall data compliance efforts.

How to Prepare Your Business For Risk Assessments & Audits?

All that being said, the key question remains how a business that has to abide by the CPRA can prepare itself for all the risk assessments and audits that lie ahead. While the process may not be straightforward, it will be relatively easy if a business has a clear idea of where to begin, what to know, and how to determine the best options.

Here are some steps any business can take to initiate their risk assessments:

• Identify and resolve “high risk” discrepancies in data collection and business practices identified by the PIA;
• Have the entire data collection process formally documented in meticulous detail to identify areas that may put data at risk;
• Have a thorough roadmap for how you plan to use the insights gained from PIAs.

Privacy Risk Assessments Under the CPRA

The CPRA text itself does not provide a sample of what an ideal privacy risk assessment should look like. However, via triangulation of information such as necessary documentation as well as similar data protection impact assessment outlines under GDPR, it is reasonable to state that any reliable privacy risk assessment under the CPRA should include the following:

• Description of the processing activities;
• Purposes of the processing activities;
• Legitimate interest pursued by the organization via its processing activities;
• Assessment of the processing activities in relation to the purposes;
• Assessment of the identified potential risks to individual privacy rights;
• Safeguards, security measures, and mechanisms to ensure the protection of personal data.

The CPRA has some exemptions in its official text such as employees’ data which is excluded from certain provisions such as the right to deletion. Any organization subject to the CPRA must work closely with its data privacy professionals to design a privacy risk assessment that not only ensures regulatory compliance but also delivers a reliable assessment that can be leveraged to improve the organization’s data processing activities in general.

California Privacy Rights Act (CPRA): Regular Risk Assessment

The CPRA will replace the CCPA on 1st January 2023. When it comes into effect, it will have lasting implications for businesses operating in the region. Some of these implications are not exactly known as the CPPA still has to issue the rules and regulations to define them - these are expected to come into force on July 1st 2022. The requirement for businesses to conduct Regular Risk Assessments is also one of those obligations which must be defined by the CPPA. But based on the text of Section 1798.185(a)(15)(B) of the CPRA, we can highlight some of the significant salient features of CPRA Regular Risk Assessments:

a. Significantly Risky Processing Activities

The CPPA is required to create regulations which will require covered businesses ​​whose processing of consumers' personal information presents a significant risk to consumers' privacy or security. What type of processing is considered to present a ‘a significant risk’ to consumers’ privacy or security is not defined and its threshold will therefore have to be defined by the CPPA.

b. Conducted and Submitted on a Regular Basis

Businesses will be required to conduct and submit these risk assessments to the CPPA on a regular basis. This requirement is a little different from the Article 35 requirement of the GDPR to conduct Data Protection Impact Assessments (DPIAs) which are required to only be conducted prior to the processing or if there is any material change in the processing operations.

c. Include Processing of Sensitive Personal Information

Regular Risk Assessments of risky data processing activities will need to highlight the use of Sensitive Personal Information.

d. Weighing Risks v. Benefits

Businesses subject to the CPRA conducting Regular Risk Assessments shall have to identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing.

e. Eliminate Risks

The CPRA explicitly requires businesses to eliminate processing activities which in the Regular Risk Assessments, are found to create more potential risks to the rights of the consumer compared to the benefits created for the business, the consumer, other stakeholders, and the public.

f. Trade Secrets will be protected

Businesses will not be required to divulge trade secrets when conducting and submitting CPRA Regular Risk Assessments.

How Can Securiti Help?

The CPRA, like every other data protection law, goes every possible distance to ensure strict security measures are in place to ensure users’ data being collected is adequately protected. Privacy Impact Assessments may seem tedious to most businesses at the start, but at their core, their existence gives all businesses a realistic view of how well their infrastructure protects their users’ data privacy.

Of course, due to both the sheer volume of data involved and the relative inexperience of most businesses with this practice, implementing it within an organization can be a lot harder to execute.

That’s where Securiti can help you.

Securiti is a market leader in providing enterprise solutions in data governance and data compliance. Thanks to its acclaimed artificial intelligence and machine learning-based algorithms, Securiti can automate these privacy impact assessments while highlighting the gaps that exist in current practices.

Request a demo today to learn more about how else Securiti can aid your organization’s CPRA compliance efforts.