Introduction
This checklist provides guidance on conducting a privacy risk assessment. A privacy risk assessment will help to ensure compliance with applicable regulatory and legal requirements. It will also identify and evaluate the risk of data breaches (including threats and vulnerabilities) and allow an organization to identify appropriate controls to mitigate unacceptable risks. This checklist is aimed at in-house counsel, compliance professionals, and private practitioners who are responsible for their organization’s data and privacy compliance programs.
While the details of a privacy risk assessment are specific to the industry or the organization conducting the assessment, this checklist provides an overview of the framework for carrying out such an assessment. This framework can then be adapted to each organization’s individual situation.
The checklist addresses the following steps:
- Determine the organization’s data privacy regulatory requirements;
- Inventory and map the organization’s data;
- Identify and evaluate data privacy risks; and
- Identify the organization’s existing data privacy controls and add to them.
The checklist is presented as a list of requirements that you can check off as they are addressed. At the end of each step there are explanatory notes corresponding with each requirement in the checklist. Please note that this checklist has been prepared with reference to codified privacy laws only. When performing a privacy risk assessment, you should also consider the risk of common law privacy-related claims such as invasion of privacy claims, which are recognized in some form in all states. For instance, Alabama, California, New Jersey, and Ohio recognize common law causes of action related to the invasion of privacy.
This checklist may be read in conjunction with the following How-to Guides: How to determine and apply relevant US privacy laws to your organization and How to develop, implement and maintain a US information and data security compliance program; and Checklist: Understanding privacy laws in the US.
Step 1 – Determine the organization’s data privacy regulatory requirements
| No. | Requirement |
| 1.1 | Determine which federal and state data privacy regulations apply to the organization |
| 1.2 | Determine which notices and external data privacy policies are required by law |
| 1.3 | Identify applicable data use, disclosure, and access rules |
| 1.4 | Determine which internal privacy policies and procedures are required by law |
| 1.5 | Determine which data privacy safeguards are required by law |
| 1.6 | Identify data disposal requirements required by law |
Step 2 – Inventory and map the organization’s data
| No. | Requirement |
| 2.1 | Conduct a general assessment of the organization’s data environment |
| 2.2 | Identify categories of private data |
| 2.3 | Map a typical life cycle for private data |
Step 3 – Identify and evaluate data privacy risks
| No. | Requirement |
| 3.1 | Identify data privacy vulnerabilities and threats |
| 3.2 | Identify areas of non-compliance with data privacy regulations |
| 3.3 | Assess the likelihood and impact of data privacy incidents arising from risks identified |
| 3.4 | Prioritize which data privacy risks to address |
| 3.5 | Identify and implement corrective data privacy controls |
Step 4 – Identify the organization’s existing data privacy controls and add to them
| No. | Requirement |
| 4.1 | Identify existing administrative data privacy controls |
| 4.2 | Identify existing technical data privacy controls |
| 4.3 | Identify existing physical data privacy controls |
| 4.4 | Identify other data privacy controls in place |
| 4.5 | Assess whether controls are sufficient |
| 4.6 | Create and implement additional responsive data privacy controls |
Scope and use of checklist
It is important to note that not every US privacy law or regulation will apply to every organization. Moreover, because every organization handles data differently and deals with diverse types of data, each organization will have different privacy risks based on their operations and specific organizational structure. Therefore, take care to determine whether specific privacy issues are applicable based on your organization’s industry, product offerings, jurisdiction, or other factors.
General notes
Legal framework
US privacy law is an intricate combination of state and federal privacy and information security laws and regulations. Since the codified US privacy law tends to emphasize electronic privacy, both privacy and information security laws are relevant to privacy compliance by organizations in the United States.
At the federal level, privacy laws are generally implemented through federal agency regulations and oversight of federal contractors. Multiple agencies may be responsible for making rules for the implementation of a federal act.
At the state level, California has been at the forefront of developing privacy and information security laws, with other states beginning to follow suit. Given the size of California’s economy and market, many organizations aim to comply with the state’s privacy laws, even if they have no physical locations within California.
What is a privacy risk assessment?
A privacy risk assessment is a process or a set of processes that help an organization to identify, analyze, and assess privacy risks to individual data resulting from maintaining, processing or otherwise using that data. A privacy risk assessment has the following goals:
- to ensure compliance with applicable regulatory and legal requirements;
- to identify and evaluate the risk of data breaches; and
- to identify appropriate and effective privacy controls to mitigate risks.
Importance of a privacy risk assessment
Privacy risk assessments are the best option for identifying and remedying potential privacy vulnerabilities before the vulnerability is exploited. Additionally, privacy risk assessments provide a way of ensuring compliance with relevant laws. Non-compliance may lead to a variety of negative outcomes, including civil and criminal penalties, civil liability from private lawsuits, and an unfavorable reputation or public image.
Key considerations
Due to the range of laws and regulations, and the frequency with which those laws are being updated, privacy compliance in the United States can be challenging. To ensure compliance, regularly check for legal updates and review and update your organization’s privacy risk assessments.
It is important to consult the relevant references and resources appropriate to the industry or market in which the organization operates, such as:
- the National Institute of Standards and Technology (NIST)’s Privacy Framework and Cybersecurity Framework;
- the International Association of Privacy Professionals (IAPP)’s resources; and
- risk analyses to ensure compliance with specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
Step 1 – Determine the organization’s data privacy regulatory requirements
1.1 Determine which federal and state privacy regulations apply to the organization
Begin by determining which data privacy or compliance laws and regulations apply. Different federal privacy laws apply to specific types of information, such as personal health information or financial information. State privacy laws generally apply to any organization that does business, or has customers, and that collects customers’ personal information within that state.
Examples of key federal privacy laws include the HIPAA, which governs the privacy and security of hard copy and electronic personal health information, and the Gramm-Leach-Bliley Act (GLBA), which governs financial institutions and provides privacy and security standards for the protection of non-public personal information. There is no central federal privacy law or directive that applies to all organizations across all industries like the European Union’s General Data Protection Regulation (GDPR). Instead, US federal laws like the HIPAA and the GLBA are part of a network of rules and regulations that may apply to various organizations and industries.
For businesses that may transfer data between the EU and the United States, the FTC has resources to point you in the right direction. On July 17, 2023, the European Commission issued an adequacy decision on the EU-US Data Privacy Framework (DPF). This voluntary Framework provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law. To join the Data Privacy Framework, a company must self-certify to the Department of Commerce that it complies with the Data Privacy Framework Principles.
State privacy regulations vary from state to state, and an organization needs to be aware of, and be in compliance with, the regulations in every state in which the organization may be considered to be doing business. California’s regulations are notable, given the size of the state’s economy. Many other states that have adopted or are considering adopting privacy laws have looked to the California laws as models.
For additional discussion of this topic, including requirements under the primary privacy laws in the United States, see How-to Guide: How to determine and apply relevant US privacy laws to your organization, and Checklist: Understanding privacy laws in the US.
1.2 Determine which notices and external data privacy policies are required by law
Determine which notices are required to properly notify individuals, including customers, of the organization’s data privacy policies and safeguards. Different notices may be required for different types of data or for the manner in which data is collected.
1.2.1 External privacy policies
Although there is no federal requirement that every organization must provide a privacy policy, state and trade-specific regulations may require such a policy. Customer-facing privacy policies are usually posted on a company website or digital application and disclose organizational practices with respect to the collection, use, and handling of an individual’s personal data. It is advisable for every US organization to have a privacy policy.
1.2.2 Initial privacy notices
Initial privacy notices are generally provided when, or by the time, a customer relationship is established or information is obtained from an employee or individual at a supplier. In some cases, the timing may be somewhat more flexible. For instance, under the GLBA, financial institutions may provide the initial notice within a reasonable time after the customer relationship is established.
The notices should, like a privacy policy, explain an organization’s privacy policies and practices including categories of an individual’s information collected, categories of information disclosed, to whom the information will be disclosed, and actions taken to protect the information. Regulations may require additional specific items to be included in initial privacy notices.
1.2.3 Opt-out notices
Opt-out notices are notices that inform an individual of their right to opt out of any disclosure of information, and a means by which the individual may exercise that right.
For instance, under the GLBA, institutions that intend to share personal information with third parties must provide consumer with an opt-out notice. The notice must explain the individual’s right to direct the institution not to share the information, and must allow a reasonable amount of time for the individual to opt out of the sharing.
1.2.4 Breach notices
Breach notices notify individuals of a data breach or any unauthorized disclosure or release of personal information. Data breaches may occur due to:
- theft or loss of digital media;
- release or posting of information without proper security precautions; and
- transfer of information through unsecure systems or by unsecure methods (eg, without encryption).
Every state has a law that requires notification of a data breach. The form of the notice, and the parties who must be notified, will vary according to the size of the breach (ie, the number of individuals whose data was breached). The primary purpose of these laws is to ensure that individuals receive notice if their private information was compromised through a security breach. Many state laws also require that law enforcement be notified of some breaches.
1.3 Identify applicable data use, disclosure, and access rules
The risk assessment should identify how, and under what circumstances, each category or item of data can be used, disclosed, or accessed. The applicable rules may stem from a variety of sources:
- federal law;
- state law; and
- data disclosures or use agreements between the organization and third parties.
1.3.1 Permitted and prohibited uses
There are specific uses of data that are permitted for certain types of data, while other uses may be prohibited. The determination of whether a use is permitted or prohibited considers the following factors:
- who is authorized to use or receive the information;
- whether receipt of the information must be reported or recorded; and
- under what circumstances the information may be used.
For example, HIPAA often requires written authorization before an organization can use personal protected health information (PHI), which is individually identifiable health information that is transmitted or maintained in any format.
1.3.2 Permitted and prohibited disclosures
The risk assessment should also identify, for each type of data category:
- who may disclose the information;
- whether disclosure must be reported or recorded;
- under what circumstances the information may be disclosed; and
- whether the information may be disclosed to external or third-party entities.
1.3.3 Access restrictions
Access restrictions refer to limitations on the type of user that may read, review, or edit specific types of data.
1.4 Determine which internal privacy policies and procedures are required by law
The risk assessment should determine which policies and procedures are required within the organization to protect data properly. These policies and procedures must provide guidance on the following key areas:
- collection and use of personal information;
- how information will be classified;
- protection standards;
- actions to take in the event of a breach;
- destruction standards; and
- consequences of non-compliance.
1.5 Determine which data privacy safeguards are required by law
There may be different data privacy safeguards for distinct categories of data and different safeguards depending on how information is stored. Generally, there are three categories of data privacy safeguards:
- administrative safeguards, which are policies and standards such as access requests, access approvals, and training protocols;
- physical safeguards, which refer to the protection of devices and locations that collect, process, share, and store data; and
- technical safeguards, which are the technical controls and tools to protect user data, such as passwords and network firewalls.
For more information on the required data privacy safeguards, see: Checklist: Understanding privacy laws in the US.
1.6 Identify data disposal requirements required by law
When the organization no longer needs a specific item or set of data, it should destroy the data in accordance with all relevant rules and requirements.
Certain laws, such as the Federal Trade Commission (FTC)’s Disposal Rule, have specific disposal requirements, such as the burning, pulverization, or shredding of paper documents.
Step 2 – Inventory and map the organization’s data
2.1 Conduct a general assessment of the organization’s data environment
A general assessment of the organization’s data environment includes becoming familiar with the type of data that the organization collects that is subject to US privacy law, and the systems and safeguards in place to protect and secure such data. The NIST offers several valuable resources that may be useful to organizations when they initially conduct a data privacy risk assessment, including their Risk Assessment Tools and Risk Assessment Use Cases. In the general assessment phase of the data privacy risk assessment process, the organization should consider these relevant points:
- how the organization protects against data theft or loss;
- how the organization ensures the accuracy of the data collected;
- the organization’s data workflow and data access controls;
- procedures for protecting data and the privacy of the individuals who are the subjects of that data;
- accuracy of the documentation relating to data collection and protection; and
- consistency of data access rules and procedures.
2.2 Identify categories of private data
In order to understand how certain data is stored and used, and the appropriate safeguards required, the organization should identify the types of private data it collects, maintains, and uses. The following are common types of private data:
- information that can be used to identify a person, such as their location, address, social security number, and date of birth;
- financial information such as credit report data, credit card numbers, and loan information;
- healthcare records;
- educational records;
- minor children’s information;
- other information deemed private under state or federal regulations; and
- unregulated information that would be considered private to a reasonable person (data may be deemed private under common law even if it is not regulated under federal or state law).
When conducting this analysis, remember that an organization may obtain private data from individuals themselves or through third parties. For example, an organization that provides invoicing software to bookkeepers is likely to obtain the private information of the bookkeepers’ clients.
2.3 Map typical life cycle for private data
A data life cycle, which can also be referred to as the information life cycle, refers to the entire period of time that any given piece of data exists in the organization’s systems. For the purposes of a privacy risk assessment, only private data needs to be mapped. However, mapping all of an organization’s data may be useful for other purposes.
Mapping how private data moves through the organization will help identify points where the private data may be at risk. For example, mapping may reveal that an organization has no process for disposing of private data. Thus, it is at risk of non-compliance with data disposal laws. It also increases the risk of unauthorized access to the data by not getting rid of it after its useful life.
The usual stages of the data life cycle are as follows:
- acquisition – the method through which data enters the organization’s systems, such as being provided by a website user, acquired from a third-party source, or captured from device data;
- use – how data is retrieved from the organization’s systems then used and modified;
- sharing – how and with whom data is shared within and outside the organization;
- storage – how an organization stores its private data, including what data security measures are in place to prevent loss or theft;
- disposal – the stage where data is disposed or destructed. A data map should consider how and when data is typically disposed of.
If various categories of data have different life cycles or progressions through the organization’s systems, use a different map for each type of data to provide an accurate visualization of data flows. By doing so, you can account for the various risks presented for distinct categories of data at different stages of their life cycle.
Step 3 – Identify and evaluate data privacy risks
3.1 Identify data privacy vulnerabilities and threats
The risk assessment should then identify potential data privacy threats and vulnerabilities, including compliance issues and possible routes through which malicious actors could steal personal data. By doing so, an organization can be clear on the steps it must take to adequately maintain and protect such data and prevent a data breach.
Generally, a privacy vulnerability is a weakness in a system (eg, computer software) or a procedure that can be exploited. A privacy threat refers to the actual exploitation of that vulnerability to cause damage or destruction of an asset.
3.1.1 Common vulnerabilities
Common privacy vulnerabilities include:
- inadequately trained employees;
- loss of computers, laptops, memory devices, or other electronic devices; and
- inadequate or shared passwords.
3.1.2 Common threats
Common privacy threats include the following:
- malicious software (eg, spyware, ransomware);
- denial of service (DoS) attacks that flood a computer or network so that it cannot respond;
- phishing attacks that use fake information to trick a user;
- password attacks to try to ascertain passwords for databases or systems;
- Man-in-the-Middle (MitM) attacks which intercept communications between two parties to steal or manipulate data;
- data breaches, which are unauthorized access to confidential data, often leading to data theft;
- social engineering manipulating individuals into divulging confidential information.
- adware, being software that automatically displays or downloads advertising material, often with tracking;
- tracking cookies following user behavior across websites, often without consent;
- physical theft through the stealing of devices containing sensitive data;
- unsecured Wi-Fi networks exploit unprotected networks to access private information; and
- insider threats, such as employees or associates accessing and misusing sensitive information.
3.1.3 Example of threat and corresponding vulnerabilities
One example of a privacy vulnerability is weak user passwords. If the organization lacks a requirement regarding password strength or a requirement that employees regularly change their passwords, employees may use simple, and easily guessed, strings of letters or numbers as a password. This vulnerability could lead to malicious actors gaining access to critical or sensitive systems.
3.2 Identify areas of non-compliance with data privacy regulations
The risk assessment should also identify any programs, systems, or policies that are either non-compliant with applicable privacy regulations or inconsistent with the applicable level of risk such that minimum compliance with the regulations would be inadequate. It is important to recognize that access to some items of data in a given data category may be compliant with the regulations, while others may not be.
3.2.1 Comparison of obligations against current controls
Compare the requirements of applicable privacy regulations with the organization's current data privacy standards. Make improvement and upgrade as needed to standards or systems to meet the minimum required under the applicable regulations.
3.3 Assess likelihood and impact of data privacy incidents arising from risks identified
For each privacy risk or area in which the current privacy controls are not compliant, the organization should assess the likelihood that individuals will experience problems resulting from data processing, and the impact of these problems if they occur.
3.3.1 Likelihood assessment
Calculate a likelihood assessment for each potential privacy incident. This assessment relates to the level of probability that the incident will occur.
3.3.2 Impact assessment
Calculate an impact assessment for each potential privacy incident. This assessment relates to the level of consequences that would result if the potential privacy incident were to occur.
3.4 Prioritize which data privacy risks to address
The organization should prioritize which privacy risks to address first based on the combination of likelihood and impact assessments. First, address incidents that are both likely and have serious consequences, such as significant financial loss or reputational damage. Then address less urgent risks.
Address privacy risks with the organization’s objectives and risk tolerance in mind. Risk tolerance refers to the amount of risk the organization is willing to accept to achieve its objectives.
3.5 Identify and implement corrective data privacy controls
Privacy controls are the administrative, technical, and physical safeguards an organization uses to satisfy data privacy requirements and ensure compliance with privacy objectives. Corrective privacy controls repair the damage caused by a data security breach and restore the system to the state it was in before the breach. When privacy risks are addressed, a plan to correct or respond to the identified potential breaches should be in place and should be ready to implement immediately. This will eliminate any losses due to a system being down before a strategy to mitigate damage is developed.
Step 4 – Identify the organization’s existing data privacy controls and add to them
Once an organization identifies its privacy risks and the privacy controls it has in place, it can compare the two to identify any gaps in its controls.
Privacy controls help protect private data in a number of ways:
- prevent a threat from occurring;
- recognize that a threat has occurred;
- reduce or eliminate the effect of a threat; and
- mitigate or lessen damage.
4.1 Identify existing administrative data privacy controls
An administrative data privacy control relates to the human factors that impact data privacy and security. The term includes the access and management of data by individuals who work at the organization. It also includes procedural safeguards, such as determining who is permitted to access the data. The identification of existing controls gives a framework for analyzing the controls in place to protect data.
Common administrative data privacy controls include the following:
- access or security clearances for staff members;
- security education and training;
- password management policies; and
- compliance monitoring of third parties and independent contractors.
4.2 Identify existing technical data privacy controls
A technical data privacy control uses technology to reduce data vulnerabilities. Such controls may be a part of the information technology or information security programs used to store and process data. Identification of existing controls provides a framework for analyzing the controls in place to protect data.
Common technical data privacy controls include:
- encryption;
- antivirus and anti-malware software;
- security information management programs; and
- data loss prevention programs.
4.3 Identify existing physical data privacy controls
A physical data privacy control is a security measure that is designed to deter or prevent unauthorized access to a physical structure or electronic media. The identification of existing controls provides a framework for analyzing the controls in place to protect data.
Common physical data privacy controls include:
- closed-circuit surveillance cameras;
- alarm systems;
- security guards; and
- identification badges.
4.4 Identify other data privacy controls in place
The identification of existing controls provides a framework for analyzing the controls in place to protect data.
4.4.1 Organization-specific controls
Organization-specific controls refer to other technical and non-technical privacy controls that the organization has implemented to protect data privacy. The term includes measures to prevent, detect, or remedy intrusions. Examining these controls allows an organization to ensure that it has the requisite systems in place to guard against, and to respond to, any breaches of the security of the data it maintains and uses.
4.4.2 Standard-setting organization
A standard-setting organization is an entity that develops, promotes, and interprets standards applicable to a wide base of users, or to members of the organization. The standards that are set are often taken as the best practices for an industry or practice. The risk assessment should be aware of these standards, and should ensure that the organization follows relevant standards for data privacy and compliance. For example, in the context of data privacy and security, NIST is a standard-setting organization that highlights standards, including regarding the management of privacy and cybersecurity risks.
4.5 Assess whether controls are sufficient
Carry out an assessment to consider whether existing controls are sufficient to address the data privacy risks identified.
4.6 Create and implement additional responsive data privacy controls
Responsive data privacy controls should be created and implemented for each privacy risk. Tailor each control to the specific risk or situation that needs to be addressed. Do regular audits or tests to ensure that the controls function as planned.
Additional Resources
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- National Institute of Standards and Technology (NIST) Privacy Framework
- Department of Health & Human Services HIPAA Guidance Materials
- Federal Trade Commission (FTC)’s Disposal Rule
- Federal Trade Commission (FTC)’s GLBA Guidance for Businesses
- International Association of Privacy Professionals (IAPP) Resources
Related Lexology Pro Content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.