A privacy impact assessment (PIA) is a process to help you identify and minimize data privacy risk. Specifically, this type of assessment helps identify the risks to an individual when an organization collects personal information for a business purpose. There are many reasons an organization might collect personal data. For example, all businesses must collect personal information from employees to process payroll taxes. Many businesses collect personal information from customers to ship goods and services or conduct research to create new products.An organization should complete a PIA any time it intends to collect a new data element from an individual, such as name, date of birth, age, race, sex, address, biometric identifier, or any other element of personal data. Completing a PIA helps an organization think deeply about privacy issues and risks related to collecting specific types of data. To complete a PIA, an organization should:
Clearly specify the data that it wishes to collect from a person.
Clearly document why it must collect that data.
Describe how the data will be collected, used, and stored.
Document the risks of collecting, using, and storing, the data.
Describe the measures that the organization will take to reduce the risks of collecting, using, and storing the data.
Organizational leaders will use the information provided in a PIA to determine whether the need for collecting the data outweighs the risks to the organization that are posed by collecting it. This is a business decision. Stakeholders such as legal counsel, human resources professionals, and information security and privacy professionals will often help prepare and review the PIA. An organization usually does not need to share its PIA with other entities.In this lab, you will learn about and prepare a privacy impact assessment for a fictitious organization.Lab OverviewThis lab has three parts, which should be completed in the order specified.
In the first part of the lab, you will document the personal information that a company seeks to collect.
In the second part of the lab, you will document the risks of data collection.
In the third part of the lab, you will explain why (or why not) the company should collect the personal information specified in Part 1.
Finally, if assigned by your instructor, you will complete a challenge exercise that allows you to use the skills you learned in the lab to conduct independent, unguided work – similar to what you will encounter in a real-world situation.Learning ObjectivesUpon completing this lab, you will be able to:
Identify personal data elements.
Describe risks to the collection of personal data.
Justify data collection activities.