Assessments

00:00

Module 3.4

00:02

assessments

00:05

in this module. Learn how to assess and analyse the privacy program through various assessments including regulatory P. A. S. And D. P. A. S. Also will explore third party assessments, physical assessments and assessments that involve corporate change such as mergers, acquisitions and divestitures.

00:23

One important thing here is I wanted to clarify the difference between an audit and an assessment and I found this statement on a website here from transition support and basically it says an audited example of results to verify their accuracy by someone other than the person responsible for producing them.

00:38

An assessment is a judgment made about those results. So an assessment typically comes in after an audit was made or sometimes an assessment can be done when you're getting your program ready and then you can audit afterwards. So think of it being cyclical.

00:55

Okay. An assessment is supposed to go further than oughta as involves the determination of actions necessary to make the assessed entity compliant. Therefore, in assessing opportunities for improvement, you would not only identify such opportunities, such as also make some judgments on the benefits to be gained and the action to be taken to realize the improvements.

01:12

I think this is really good advice from transition support and I certainly advocate that assessment and audit should be discussed within your organization and how you're going to use those functions within your program.

01:25

Let's continue to look at assessments here.

01:26

Well, one assessment you're going to be doing as a privacy manager or at least working with your corporate counsel is monitoring the regulatory environment. You can use the internet, certainly blog, social media, printed online journals. Third party vendor activities.

01:42

And the reason I mentioned third party vendor activities, there could be lawsuits or breaches associated with them that could certainly impact your organization and their associations out there. That can certainly help you with monitoring what's going on from a regulatory standpoint,

01:59

you may have to conduct a gaps analysis once you have your assessment done to determine the program gaps, as it pertains to applicable laws and regulations laws have overlap. So it's important to involve the legal team or council and not always necessary, but a privacy compliance tool may be necessary to help you close those gaps.

02:17

Let's talk about risk assessment specifically P. A. S. And D. P. A. S. So a privacy impact assessment or a P. A. Is an analysis of a privacy risk associated with processing personal information, relation

02:30

to a project, product or service very similar, A data protection impact assessment describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as much as in as early as possible.

02:43

A D. P. A. Is something that you'll see very well referenced and very often referenced in the G D. P. R.

02:50

And then there's also a breach impact assessments which is evaluate the impact of an actual probable breach. We'll discuss breach impact assessment during the incident uh management modules,

03:02

but to look at the P A. S and D P S a little further, I've got some examples here

03:07

from the the privacy office at the Department of Homeland Security in the United States. They have a privacy impact assessments, a guide.

03:16

And on the right there is just a snippet of what's included in that guide and in section 2.0, they talk about uses of system and the information.

03:24

So essentially it's a narrative of of what you, as the person conducting assessment is currently looking for in regard to a specific system or an overall system or a process. So there's a wonderful guy that's free available online. If you were to search for that title

03:44

and Department of Homeland Security you should have no problem finding that. And I've got a link here in the module to show a U. R. L.

03:53

For a sample D P. A template. You can find one by searching the information Commissioner's office sample D. P. A template

04:01

and there is a step it on the right that shows a following figure that illustrates the basic principles related to the D. P. A. In the G D. P. R. So you can follow that workflow and their document basically gives you a much more detailed explanation of what A D. P. I should cover and why A D. P. A. Needs to be conducted to be compliant

04:31

has promised there is the resources available for you

04:34

that I pulled from the internet.

04:42

So another area that we have to look at

04:44

for assessments are vendors and processors so they have their own risk assessments and you may have to conduct one for them if you agree to their maybe contractual requirements such as instant response service level agreements, notification requirements, liability and disposal of data that vendors need to comply with

05:00

ongoing monitoring, auditing of those vendor activities,

05:04

organizational certification and attestation should be required from vendors that either process or access to P. I. That you're responsible for where personal information is being held as important to know who has access to personal information and in practice note is contractually required and validate that you don't want to necessarily overstretch or overextend the resources available to you when it comes to vendors and processors assessments but understand at least who your primary vendors and processors are. Start there and work with a

05:42

your your committee or your executive leadership on prioritizing what vendors need to be reviewed,

05:47

especially those who have access to P. A. And sensitive information.

05:55

Here's a screenshot from Club Security Alliance and and they have a star program they call it and level to essentially has a listing of firms that uh they trust to to go out and produce uh the audits.

06:13

four vendors or vendors can

06:15

contract with to have an audit done. That creates that at to taste at the station report or document that you're looking forward to essentially confirmed that the third party is certainly validating what they're saying they're doing contractually.

06:34

Uh And that helps you certainly validate that the P. Ii. And security information that you entrust with them to protect and keep that they are actually doing that. Uh This course is a management course so I don't want to go into all the specifics in regard to all the available uh,

06:54

uh, certifications that are out there and there may be many uh, that exist in the region of the world that you're in that it would be

07:04

not very, uh, we'll be retired consuming to cover them all. But the important part is to note that there are resources out there to help you validate whether vendors are actually complying with what they say they're doing using third parties

07:23

when it comes to mergers, acquisitions and divestitures, which are common business functions. You may have to have a

07:31

and understanding that as a privacy program manager. And this is kind of one of those for those of you who run a program. It can be in some ways an opportunity, but it can also be a frustrating in a way where you, you've got everything set, you've got your program mature and then whom leadership says we're gonna merge, we're going to acquire or going to invest something

07:49

and you have to, in some ways go through

07:53

uh the the process all over again of building up or merging this information into your program. So there could be some new compliance requirements and laws you have to comply with. Uh You may want to review previous audits that were done, especially if they were done from an organization that you've acquired,

08:11

explore existing client vendor agreements.

08:13

You may not have the benefit of having mutual vendor's. So you may have to look at uh those relationships. Again, you may have to conduct new P. A. S and D. P. A. S. Uh last review retention requirements of information. You may have some opportunities to uh courage or remove information that you no longer have to keep or maybe that the information that you gained

08:35

uh

08:37

was not adequately governed from a retention schedule standpoint and would need to be reviewed, emerge into your retention schedule and then potentially disposed of or go through a disposition process

08:50

that would keep you compliant with your records management functions.

08:58

Quiz, Question a blank is an analysis of the privacy risk associated with processing personal information in relation to a project product or service,

09:05

one data protection impact assessment to breach impact assessment or three privacy impact assessment

09:13

and the answer is

09:15

privacy impact assessment.

09:20

In this module, we discussed what assessment is and how to analyze a privacy program