Untangling the Privacy Alphabet: Privacy Risk Assessments
What is a Privacy Risk Assessment (PRA)?
A privacy risk assessment (PRA) is an assessment against a recognized privacy framework, such as the NIST Privacy Framework, to assess an organization’s privacy risk. Privacy risk assessments focus on practices that may inherently put consumers, employees, or other individual’s private data at risk and ensure that privacy is considered as systems and processes are created and deployed.
For example, if an application collects data beyond what is needed, such as asking for a complete birthdate of an individual when all that is needed is knowledge of if the individual is above 18 years of age, this indicates that data collected is not being minimized and is a privacy risk. PRAs also help to ensure that privacy issues result in breaches of information, such as not protecting against data leaks (NIST Privacy Framework, PR.DS-P5), are minimized or eliminated where possible.
Do I need a Privacy Risk Assessment (PRA) or a Privacy Impact Assessment (PIA)?
While other privacy assessments, such as a Privacy Impact Assessment (PIA) are performed for one specific application or process within a company, a PRA is performed for the entire organization. It is not focused on how a single application functions, but on how the organization addresses privacy risk overall. As a best practice, the PRA should occur first before performing additional privacy assessments, such as a PIA, as it provides a baseline that other assessments can build upon.
PRAs often require some of the same requirements that are also contained within cybersecurity risk assessments, such as maintaining controls around protection of data-at-rest and data-in-transit. As a result, these two types of risk assessments can often be performed in tandem, allowing for a single view into the privacy and cybersecurity risks a company faces.
Just like other risk assessments, results from a PRA can be tracked in a risk register. This allows a company to easily track progress against privacy risks and understand what, if any, risks are allowed and how they are being mitigated.
Tips for Performing Joint Privacy and Cyber Risk Assessments
When performing a joint privacy and cybersecurity risk assessment, it can be beneficial to pick two frameworks that are written similarly and already have a crosswalk, or mapping, between them.
For example, NIST maintains a crosswalk between their Core Privacy Framework and their Cybersecurity Framework, allowing for easy mapping between the two. This mapping provides a more holistic view of risk, as privacy and security risk are integrated. This allows executives and other risk professionals within the company to evaluate privacy and security as one unit rather than as unrelated entities.
Additionally, mapping a cybersecurity framework to a privacy framework allows for risk assessment questions to address multiple controls at once, saving both time and resources for the assessors.
The Bottom Line on Privacy Risk Assessments
While PRAs are not yet a requirement, they provide an excellent way to show customers and employees a dedication to privacy. PRAs also allow for a reduction in liability and easier compliance with regulatory standards, as privacy risks are addressed before issues arise and tracked for non-compliance.
The PRA will provide a straightforward way to understand where privacy risks exist in your organization and are an excellent foundation for starting a privacy program. Once found, the privacy risks can then be documented and tracked toward remediation, ensuring companies are more protected against potential breaches of private information, and maintain a robust privacy posture.