Privacy Impact Assessment (PIA)

Last updated 10 months ago

Privacy Impact Assessment (PIA)

Introduction

The Privacy Impact Assessment (PIA) feature in LightBeam allows organizations to assess the privacy risks associated with their data processing activities. It provides a structured workflow for creating risk-based questionnaires, assigning risk levels to answers, collaborating with stakeholders, and generating a final assessment report.

User Roles and Permissions

LightBeam supports different user roles with specific responsibilities and permissions to ensure a structured and secure PIA process.

1. Process Owner

Initiates PIA assessments for their data processing activities
Assigns collaborators and manages their access to assessments' sections and / or questions
Fills out the assessment questionnaire and provides relevant information
Submits the assessment to be reviewed by the Data Protection Officer (DPO)
Reviews DPO feedback and makes necessary changes to the assessment
Generates the final PIA report

2. Data Protection Officer (DPO)

Reviews submitted PIA assessments for compliance with organizational policies and legal requirements
Adjusts risk levels based on their expertise and risk assessment
Provides feedback, recommendations, and guidance to process owners and collaborators
Approves assessments once all necessary information is provided and risks are mitigated

3. Collaborator

Contributes to specific sections or questions in an assessment based on assigned responsibilities
Provides specialized knowledge and insights related to their area of expertise
Reviews and responds to DPO feedback and recommendations

By assigning clear roles and permissions, LightBeam ensures that the right people are involved in the PIA process and that sensitive information is protected.

PIA Assessment Workflow

3.1. Initiating an assessment from a template

Navigate to the PIA dashboard. Click on the Assessments icon from the left sidebar menu.

Click on the "Start New Assessment" button.

In the New Assessment pop-up:

Choose a template from a list of available templates.

Enter the Name of Process
Email ID of Process Owner
Nature of Process
Enter Email ID of DPO

After filling all the details, click on Next.

Filling out the assessment

Process owners invite collaborators to contribute to specific sections based on assigned roles and permissions. You can add collaborators in two ways:

Adding collaborators before questionnaire
- Click on the "Add Collaborator" button.
- Follow the process mentioned here.
- Then click on Proceed to Questionnaire.

2. Adding collaborators in questionnaire:

While filling out the questionnaire, locate the "Collaborators" button in the top right corner of the screen and click on it.

In the collaborator management pop-up:

Set the "Due Date" for the collaborator to complete their assigned tasks.
Enter the email addresses of the collaborator(s) you want to invite in the "Email IDs of Participants" field.
Write a note in the "Email Body", which will be sent to the collaborators.
Click the "Save Collaborators" button to send the invitation(s) and assign the specified sections or questions to the collaborator(s).

Collaborator View

The Collaborator receives a link through a mail in their mail inbox to view the assigned assessment.

Collaborators log in to the LightBeam application and navigate to the "Assessments" tab.
They will see a list of assessments or Tickets which they have been assigned as collaborators.

Clicking on an assessment will open it, allowing collaborators to review the questionnaire and make changes or add inputs as needed.

Once all the changes have been made, the Collaborator clicks on Submit.

In the next pop-up, again the Collaborator clicks on Submit.

This will share the updates by the Collaborator with the Process Owner.

The status of the ticket will be changed to Submitted.

Process owners log in and navigate to the "Assessments" tab.
They will see a list of their assessments, including those with assigned collaborators.
By clicking on the Assessment, Process Owner can view the collaborator(s) displayed under the Questionnaire tab.

Clicking on an assessment will open it in edit mode, allowing the Process Owner to fill out the questionnaire and manage collaborators.

Filling questionnaire without collaborator:

To complete the PIA questionnaire without involving collaborators:

As a Process Owner, log in and navigate to the "Assessments" tab.
Click on the assessment they wish to fill out.
Navigate through the assessment sections using the left sidebar menu.
For each section (e.g., Process Details, Data Elements, Data Subjects), you'll see a series of questions and input fields.
a. Process Details
The Process Details section is the first part of the assessment questionnaire:
- You'll see the following fields:
  - Process Name: Pre-filled from your setup, but editable.
  - Description: A text area for a detailed process description.
  - Process Group: A dropdown menu to categorize the process (e.g., "Sales", "Marketing", "HR").
  - Automated processing: Radio buttons to indicate if the process involves automated processing.
  - If "Yes" is selected for automated processing, an additional text area appears for describing the automation.
- Each field can be edited for easy modifications.
- Required fields are marked with an asterisk (*).

Real-time risk indicator updates based on answers

As the process owner or collaborators fill out the questionnaire, the LightBeam application dynamically displays the risk levels based on the pre-assigned values of the selected answers.

Each question with an associated risk level will display a risk indicator (e.g., color-coded circle or label) next to it.
The overall risk level for the assessment is prominently displayed and updated in real-time as answers are provided.

After filling the Process Details section, click on Next.

b) Data Elements

In the Data Elements section, you'll specify what types of data are involved in the process:

Click on the "Data Elements" button.

Clicking this button opens a pop-up window with a list of predefined data elements.
Select all relevant data elements for your process.

As you select elements, they appear in a list format in the main panel.
Each selected element shows its pre-assigned risk level (High, Medium, Low, or NA).
The overall risk level for this section is displayed at the top, based on the highest risk element selected.

After filling all the required fields, click on Next to move to the next section.

c. Data Subjects

The Data Subjects section allows you to identify whose data is being processed:

Click on the drop-down menu under Data Subjects.
Clicking this opens a list of potential data subject categories (e.g., Employees, Customers, Vendors).
Select all applicable categories.
Each selected category appears with its pre-assigned risk level.
An overall risk level for this section is shown at the top.

Example: Since Existing Customers does not have a preassigned risk value to it, the selected item does not show any risk association.

Here, the Data Subject 'Employees' displays an associated risk of 'Low'.

Click on Next to proceed.
d. Data Retention
In the Data Retention section, you'll define how long data is kept and why:
- This section may also display pre-assigned risk levels based on your selections. Alternatively, you can click on the +Data Retention button to enter:
  - Time duration: A dropdown to select the retention period.
  - Trigger Event: A dropdown to specify what initiates the retention period.
  - Scope: A dropdown to define what data the retention policy applies to.
- Below these fields, there's a text area to provide justification for the chosen retention period.

To edit it, you can make changes to the retention policy and click on Add Policy.

If there are no changes, simply click on Next.

d. Safeguards

The Safeguards section allows you to document security measures:

You'll see a text area to list the safeguards in place.
There's an option to add multiple safeguard entries.
Each safeguard may have a pre-assigned risk level displayed next to it.
An overall risk level for safeguards is shown at the top of the section.

Click on Next.
f. Transfers
In the Transfers section, you'll indicate if data is moved outside your organization:
- Third-party Transferr:
  - Answer if personal data is transferred outside your organization as a part of this process using the radio buttons "Yes" or "No".
  - If "Yes" is selected, additional fields appear asking you for Third-Party Organisation Details such as:
    Name
    Email
    Safeguards in place (Select from existing or type to add custom)
    Address
  - Pre-assigned risk levels may be displayed based on your responses.
- Cross-border Transfer:
  - Answer if personal data is transferred outside your national borders as a part of this process using the radio buttons "Yes" or "No".
  - If "Yes" is selected, additional fields appear asking you for Cross Border Transfer Details such as:
    Country
    Organization
    Safeguards in place (Select from existing or type to add custom)
    Email
Click on Proceed to Risk Review.

Submitting the assessment for DPO review

The process owner submits the completed assessment for Data Protection Officer (DPO) review.
Once you've completed all sections:
- Review your answers for completeness and accuracy.
- Scroll to the bottom of the assessment.
- Locate the "Proceed to Risk Review" button.
Clicking this button will send the assessment to the designated Data Protection Officer (DPO) for review.
The assessment status will change to "Review Pending".

Risk Assessment Review

After clicking "Proceed to Risk Review", you'll be taken to a summary page of all risk assessments.
This page displays:
Individual Risks:
- A breakdown of risk levels for each section (Process Details, Data Elements, Data Subjects, etc.).
- You can click on the section name to adjust the risk evaluation if necessary.

Overall Risks:
This section provides a high-level summary of the entire assessment's risk profile.

It includes:

Select Overall Risk:
- An overall risk level for the entire assessment (e.g., High, Medium, Low) in the form of an editable line graph.
- To increase or reduce the Overall Risk, the user can click on any risk-level point to increase or decrease the length of the line.
Overall Likeliness of Occurrence:
- This is represented by another editable line graph.
- It allows you to indicate how likely it is for the identified risks to actually occur.
- Similar to the Overall Risk graph, you can click on any risk-level point to increase or decrease the length of the line.

Note: When evaluating the likeliness of occurrence, consider the following key elements:

Type of Data:
- Sensitive personal data (e.g., health information, financial records, biometric data) generally carries a higher likelihood of risk if compromised.
- Consider the volume and sensitivity of the personal data being processed.
Method of Data Processing:
- Automated processing, especially those involving profiling or decision-making, may increase risk likelihood.
- Complex processing operations involving multiple stages or parties could elevate risk probability.
Data Storage Location:
- Cloud storage vs. on-premises solutions may affect risk likelihood differently.
- Geographic location of data storage, especially if outside your jurisdiction, can impact risk probability.
Security Measures:
- The robustness of your encryption, access controls, and other security protocols influences risk likelihood.
- Regular security audits and updates may lower the probability of risks occurring.
Data Transfers:
- Frequent transfers of data, especially across borders, may increase the likelihood of privacy risks.
- The security measures of third parties involved in data processing affect risk probability.
Staff Training and Awareness:
- The level of privacy awareness and training among staff handling the data impacts risk likelihood.
- Clear policies and procedures for data handling can mitigate risk probability.
Historical Incidents:
- Past privacy breaches or near-misses in similar processing activities may indicate a higher likelihood of future risks.

View the Key risk indicators or areas of concern highlighted for quick reference.

Once you're satisfied with your risk assessment review, locate the "Submit for Review" button at the bottom of the page.
In the pop-up window, enter the details:
- Data Protection Officer(DPO) or Reviewer
- Email body
- Due Date
Click on Submit to finalize your assessment and risk evaluation, sending it to the Data Protection Officer for review.

Once the assessment is submitted, the Review Status will be updated to Review Pending from Not Submitted.

This is one complete cycle of filling out and submitting of assessment. The same assessment can be modified and the Process Owner can get it reviewed multiple times.tting

DPO review process

DPO Dashboard:
- The DPO accesses the submitted PIA from their dashboard.
- They see a list of assessments pending review, including yours.

Assessment Overview:

Detailed Section Review:
- The DPO first systematically reviews each section of the assessment:
  - Process Details
  - Data Elements
  - Data Subjects
  - Data Retention
  - Safeguards
  - Transfers
- For each section, they evaluate:
  - Completeness of information
  - Accuracy of responses
  - Appropriateness of measures described
  - If the assigned level reflects the potential privacy impact

Adjusting risk levels and providing comments

The DPO can adjust the risk level for individual questions or sections by clicking on the risk indicator (e.g., High, Low) and selecting a different risk level from the dropdown menu.

This may also affect the overall risk associated with the questionnaire.

The DPO can also add risk associations where they have not already been added.

Similarly, the DPO can also change the risk levels from the Risk Assessment page by expanding the sections and editing the inputs.

In the Overall Risk tab, the DPO can make changes to the Overall Risk and Overall Likeliness of Occurrence of the risk.

They can Remediation comments or Additional Comments, if any.

Marking the assessment as reviewed

Now select the 'Mark as Reviewed' field to mark the review as completed.

This will allow you to click on the Submit Review button.

Click on submit. Clicking the "Submit" button finalizes the DPO's assessment review and sends a notification to the process owner.

This will update the status of the assessment as reviewed.

Editing and resubmitting assessments after DPO review

The process owner receives a notification that the DPO has completed their review. They log in to the LightBeam application and navigate to the "Assessments" tab. Process owner can edit and resubmit the assessment based on DPO feedback for further review.

Once all changes have been made, they click the "Save & Close" button to update the assessment and send it back to the DPO for another round of review, if needed.

Notification to the Process Owner after making changes to the assessment: After the process owner has made changes to the assessment based on the DPO's feedback, they receive a notification indicating that the answers have been updated and that these changes may impact the risk assessment.

This notification prompts the process owner to submit the updated assessment for another round of DPO review, as the changes made could affect the overall risk profile. The "Submit for Risk Review" button allows the process owner to easily send the modified assessment back to the DPO.

The DPO will then receive a notification (as described in the previous section) and begin reviewing the changes made by the process owner. The iterative review process continues until the DPO is satisfied with the assessment and marks it as final.

Revoke review request

In some cases, the process owner may need to revoke a submitted review request. This can happen if they realize that further changes are needed before the DPO reviews the assessment, or if they want to make significant modifications that would render the current review obsolete.

To revoke a review request, the process owner navigates to the assessment overview page and clicks on the "Actions" dropdown menu in the top right corner.

From the dropdown menu, they select the "Revoke Submission for risk review" option.

After clicking on "Revoke Submission for risk review", a confirmation pop-up appears, asking the process owner to provide a reason for revoking the submission. The process owner enters a brief explanation in the text area and clicks the "Revert Submission" button to confirm the action.

Once the review request has been revoked, the assessment status changes from "Review Pending" to "Not submitted," indicating that the process owner can now make further changes to the assessment.

Edit Reviewer

In some situations, the process owner may need to change the assigned DPO for an assessment. This could be due to the original DPO's unavailability, a change in the DPO's responsibilities, or other organizational reasons.

in the assessment overview page and selects the "Edit Reviewer" option.

In the "Update Reviewer" pop-up window, the process owner can:

View the current reviewer's details.
Add a new reviewer by entering their email address in the "New Reviewer" field.
Modify the due date for the review by selecting a new date from the calendar picker.
Update the email content that will be sent to the new reviewer in the "Email Body" text area.
And clicking the "Submit" button.

The Reviewer details get updated on the assessment page.

The previous DPO gets an email that they are no longer responsible for reviewing the assessment.

The new DPO receives a notification about their assignment to the assessment.

The assessment status remains unchanged ("Review Pending" or "In Progress," depending on the previous state) after updating the reviewer details.

PIA Reports

4.1. Generating PIA reports

Once the privacy impact assessment is complete and the DPO has completed reviewing the assessment, the DPO can generate a comprehensive PIA report. This report serves as a formal record of the assessment, detailing the identified risks, mitigations, and recommendations for the evaluated data processing activity.

To generate a PIA report, the user navigates to the "Assessments" tab in the LightBeam application and locates the finalized assessment for which they want to create a report.

On the assessment overview page, the user clicks on the "Reports" tab located at the top of the screen.

On the next page, the user clicks on the "Generate Report" button.

This allows the user to preview the report.

User can either click on Generate Only to view the report or Generate and Download to also download the report to their system.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.