Privacy Risk Assessments
Identify privacy risks and build remediation plans
Business teams must understand personal data flows and privacy risks that result from a new product launch, global expansion, or merger and acquisition activity. They also need to understand the privacy impacts of new legal and regulatory threats or increased scrutiny from governmental authorities.
TrustArc Privacy Risk Assessments
TrustArc Privacy Risk Assessments entail a systematic evaluation of how personally identifiable information is collected, used, shared and maintained by an organization. The privacy risk assessment process provides development teams with the greatest opportunity to shape the evolution of products and services for successful business outcomes with as few privacy risks as possible.
Our Proven, 5-Step Process
Our process is based on two decades of experience delivering privacy services to thousands of clients around the world:
Step One
Data Inventory
Through a series of interviews, we work with your team to find any personally identifiable data collected or used in the product or processes at issue. Then we fully map those data flows from the point of collection, storage, and processing. We also map any resources involved in processing, retention, and deletion. Together we will gather supporting documents, including requirements documents, specs, database schemas, and third-party data protection agreements.
Step Two
Risk Clarification
The Data Inventory is mapped to the relevant products, systems, and business processes, and data elements are classified according to purposes, uses, and associated risk levels. We apply our scanning technology to applicable websites and mobile apps, shedding light on trackers and tracking technologies used, with Privacy Sensitive Index (PSI) scoring and insight into personally identifiable information (PII) data collection.
Step Three
Policy & Practices Compliance Review
Our consultants analyze your stated privacy policies and data management practices alongside the applicable frameworks dependent on the nature and location of the relevant product or processes. Our methodology includes a broad look at risk factors, including those introduced by service providers, vendors and other third parties.
Step Four
Findings Report & Gap Analysis
From the compliance review, our consultants provide you with a Findings Report & Gap Analysis outlining the full data lifecycle analysis and risk classification, and describing any gaps found versus the applicable frameworks and against industry best practices. For each gap, we provide a recommended remediation measure, with required and best practice changes.
Step Five
Policy & Practices Change Guidance
Armed with our gap analysis and remediation recommendations, we can assist in the development of policies and training programs, provide sample language and templates, and validate remediation steps.
