The Dangers of IT Failure (& How a Privacy Impact Assessment Can Help)
Make your environment more secure with our “All-Access Tour: Office 365 Security and Governance Features” on-demand webinar!
The value of an organization’s IT department can’t be overstated. They’re vital to making sure that everything runs as smoothly as it should. As a result, it’s only natural to want to maintain a secure IT environment at all times.
IT risk is basically any threat to your business data, critical systems, or business processes. It’s the risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an organization. In this post, we’re going to go over the risks that come with IT failure and how a Privacy Impact Assessment (PIA) can help.
Potential Impact of IT Failure
IT failure can impact businesses in a wide variety of ways. These can result in fines, loss of reputation, and even prosecution depending on the severity of the failure. We can break these down into three different affected area:
Security Breaches
A breach of an organization’s security can result in:
- Identity fraud and theft,
- Financial fraud or theft,
- Damage to your organization’s reputation,
- Damage to your organization’s brand,
- Damage to your organization’s physical assets
Downtime/Outages
While not as severe as security breaches, extended downtime can mean:
- Lost sales and customers
- Reduced staff and business productivity
- Reduced customer loyalty and satisfaction
- Damaged relationships with partners and suppliers
Compliance Breaches
Compliance breaches are perhaps the most terrifying possibilities that can come from IT failure. These can include:
- Breaches of legal duties,
- Breaches of client confidentiality,
- Penalties, fines, and litigation,
- Reputational damage
What’s a Privacy Impact Assessment (PIA)?
A PIA is a systematic assessment of a project that:
- Identifies the impact that the project might have on the privacy of individuals, and
- Sets out recommendations for managing, minimizing, or eliminating that impact.
In other words, a PIA should essentially “tell the story” of a project from a privacy perspective.
Why do one?
It’s an opportunity to make sure your project complies with privacy laws, but it’s also a chance to go beyond compliance and consider the project’s broader privacy implications and risks. It can help you to identify whether the community (or the business) will accept the planned uses of personal or sensitive information in the project.
GDPR’s Role:
The instrument for a privacy impact assessment (or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. One can bundle the assessment for several processing procedures.
Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons.
Which projects would benefit from a PIA?
You should consider undertaking a PIA for any project that handles personal information including designing new products, service delivery, or legislation. Some situations where a PIA would be necessary include:
- Undertaking a data matching activity
- Designing a mobile app
- Implementing a new loyalty program
- Considering proposed legislation
- Integrating databases
- Collecting new categories of customer data for direct marketing
- Engaging a third-party contractor to manage data handling
- Working on a high-risk project
When to do a PIA
To be effective, a Privacy Impact Assessment should be an integral part of the project planning process, not an afterthought. Build a PIA into your project planning timeline from the beginning.
You should undertake the PIA early in the development of a project so that it’s still possible to influence the project design. You could also reconsider proceeding with the project if there’s a significantly negative impact on privacy. This will also help you avoid unnecessary potential costs in addressing privacy concerns after a project has concluded.
PIA Risks and Benefits
Risks of not doing a PIA:
- An organization’s reputation could be damaged if the project fails to meet expectations about how personal information will be protected
- Privacy risks could be identified too late in the project’s development
- An organization’s credibility could be lost through a lack of transparency in response to public concern about handling personal information
Benefits of doing a PIA:
- The project will be compliant with privacy laws
- Community values and expectations around privacy will be reflected in the project design
- Stakeholders will know that the project has been designed with privacy in mind
Needless to say, a Privacy Impact Assessment is something that every organization should seriously consider. They can save your business time, money, and reputation. You can find more resources (including a free PIA system assessment tool) here.
Want more on how to protect your organization’s data? Subscribe to our blog!
During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.
