Introducing Nymity SmartPIA™
Nymity SmartPIA™ is a revolutionary new approach that solves the problems of the traditional approach to Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), and Data Inventory. Ongoing research by Nymity’s Team of Experts to maintain databases of advanced knowledge and an advanced rules engine allows Nymity SmartPIA™ to work as an expert system. This expert system dramatically reduces the time and resources typically required by the Privacy Office/DPO while providing significant business and operational value to the process owners.
To learn more about Nymity’s new approach to PIA and the new software solution, please complete the form.
Challenges with the Traditional Approach to PIAs/DPIAs
PIAs Are Not New
Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) have been around for a long time. The Treasury Board of Canada Secretariat states that PIAs have been in use as far back as 1970. In the United States, the US Internal Revenue Service issued its IRS Privacy Impact Assessment in 1996. In New Zealand, a PIA Handbook was published in March 2002, in Australia a PIA Guide was published August 2006, and there have been other PIA guidelines published around the world since.
In Europe PIAs/DPIAs are a relatively new concept. The interest in PIAs started in December 2007 with the publication in the UK of a PIA handbook. That was followed by the 2009 European Commission’s recommendation on RFID which resulted in an RFID Data Protection Impact Assessment Framework that was developed by industry and endorsed by the Art. 29 Working Party in February of 2011. What is now a legal requirement in the General Data Protection Regulation (GDPR) was foreshadowed as early as July 2010 when European Commission Vice-President Viviane Reding stated in a speech that organizations need to carry out Privacy Impact Assessments in the context of a new law.
In Canada, the United States, and in some cases New Zealand and the United Kingdom, PIAs are mandatory for government departments and agencies for budget submissions. The United States is unique, or at least first, in having legislation that mandates PIAs since 2002.
In May 2018 for the first time anywhere in the world DPIAs will be mandatory in some cases in the private sector with the GDPR.
In the 2016 IAPP study 36% of companies surveyed have internal automation and 6% have commercial software but Nymity’s research has yet to find a company that has automated implementation that solves the challenges listed below.
Solving the Problems of the Traditional Approach
The problems of the traditional approach to PIAs can be broken into two groups, the business unit which is the part of the organization that is accountable for the collection, use, disclosure, retention, access, and safeguards of the personal data, and the Privacy Office/DPO that supports the PIAs. The following is a partial list of the problems incumbent in the traditional approach to PIAs, and it is these problems that are solved by the Nymity SmartPIA™ solution.
Business Unit PIA/DPIA Problems of the Traditional Approach
- Restricts innovations
- Complex and time intensive process
- Perceived as a roadblock to implementation
- Lack of motivation to complete or update a PIA (agile environment)
- Lack of understanding of privacy to effectively complete a PIA
- Repetitive activity with limited value
- Does not integrate into corporate risk systems
- Does not fit into overall corporate strategy around risk or governance
- Little correlation between people accepting the risk and their authority for acceptance of risk
- Does not provide meaningful reporting – unable to measure the value of the process
- Difficult to leverage previously completed PIAs
- Do not support subject matter access requests
- Do not support internal audit
- Easily accessible central repository does not exist
- Difficulty aggregating information from PIAs that would be meaningful and actionable
Privacy Office/DPO PIA/DPIA Problems of the Traditional Approach
- Do not result in an up-to-date data inventory, nor updates other dependent repositories
- Does not update dependent PIAs
- Does not integrate risk mitigation plans of dependent PIAs
- Rely on generic templates
- Rely on threshold assessments that often miss key risks
- Rely on workflows which are inefficient and difficult to manage
- Rely on data mapping which is complex and quickly outdated
- Requires significant time and resources
- Rely on “not sure” and “partial” answers
- Use checklist approach and all the resulting limitations
- Difficult to conduct a Big Data/Internet of Things PIA
- Does not ensure that business has implemented the recommended mitigations
- Difficult to measure the value of the PIA
- Manual process to maintain and update PIA
- Lack of easily accessible central repository
- Difficult to extract aggregated data from PIAs for meaningful purposes
- Lack of consistency in the quality of the PIA as it depends on who completes it
- Difficult to motivate business units to complete or update PIAs
- The privacy office viewed as a hindrance to the business instead of the enabler