Risk Assessments Overview

DataGrail Risk Assessments simplify the creation and maintenance of Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs). Your privacy team will use Risk Assessments to proactively assess privacy risk and prevent public incidents.

Your team will take advantage of features including:

• Utilizing existing data from your tech stack and DataGrail’s 2,000+ integrations to expedite assessment completion and ensure accuracy
• Uncovering and mitigating AI privacy risk across teams
• Launching standardized privacy assessments created by privacy experts or your own team
• Completing periodic DPIAs, as required per GDPR

Get a Demo

Learn more about how you can protect your customer's personal data by scheduling a demo with DataGrail!

Minimize Risk

Data Privacy Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs) are required by GDPR, CPRA, and other current and future laws, legislation, and auditors.

DataGrail allows you to quickly identify new risks and handle risk assessments in one place. Understand which third-party apps are being used -- and by whom, why, and how -- in record time, with little interruption to your daily tasks.

DataGrail has translated the "legal language" to guide privacy managers and their colleagues through risk assessments for GDPR, CCPA/CPRA, and future legislation. We use existing information about your tech stack to expedite assessments, giving technical teams time back and replacing human error with process automation.

With standardized questions, integration-powered responses, and easy, in-platform collaboration tools, anyone at your organization can get up-to-speed about evolving requirements for upholding consumer privacy.

Leveraging DataGrail's Intelligence Library

When assessing a new system or an existing vendor, Risk Assessments can streamline the process by pre-filling information for systems that are available in the DataGrail Intelligence Library or already in your System Inventory. Rather than having to interview every system vendor, you can leverage DataGrail's Pre-filled Answer Types to auto-populate information such as the likely personal data categories a particular system or vendor may process.

When and if you make the decision to implement the evaluated system, you can add it to your System Inventory in three ways:

1. Automatically through System Detection.

2. Automatically when adding a new integration to DataGrail.

3. Manually in your System Inventory.

Any Risk Assessments conducted on these systems will appear in the Assessments tab on the System Profile when you add the system to your inventory. This allows you to see and maintain a historical record of all existing risk assessments that have been conducted on a system for audit purposes.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) is an instrument designed to help organizations systematically analyze, identify, and minimize the data protection risks of a project or system.

DPIA's in DataGrail include templates, checklists, and workflows to help you evaluate the necessity and proportionality of your data processing activities, assess potential risks to individuals' privacy rights, and determine measures to address those risks.

It's designed to ensure compliance with the GDPR's requirements for conducting DPIAs where data processing is likely to result in a high risk to individuals' rights and freedoms.

Common Triggers

Per GDPR Article 35, a DPIA should be conducted before implementing data processing technologies or initiating processing activities that pose a “high risk to the rights and freedoms of natural persons.” The risk assessment here will also depend on the “nature, scope, context, and purposes of the processing.”

Regulatory guidance for the GDPR is comprehensive. European data protection authorities prescribe DPIAs when you, for example, are:

• Using new or novel technologies such as ML/AI
• Engaging in large-scale processing activities
• Collecting data on people’s locations or behavior
• Monitoring persons’ activities in public spaces
• Processing special categories of GDPR personal data (i.e. sensitive data)
• Making fully automated decision about individuals with a legal or equally significant effect
• Handling children’s data

These and other relevant factors must be considered as part of a thoughtful DPIA. This ensures that business needs can be balanced against the privacy rights, freedoms and reasonable expectations of individuals. And that appropriate technical and organizational controls could be applied reduce the likelihood of data misuse or abuse.

Privacy Impact Assessments (PIAs)

Relative to a DPIA, a PIA is a more general term-of-art, and in the US arises from the kinds of formal assessments federal agencies must conduct per the E-Government Act of 2002. Broadly speaking, a PIA is a privacy-compliance assessment often used to identify privacy requirements for a new product, project or activity. And, any changes to a company’s privacy practices, policies or promises.

For a given processing activity, PIA's in DataGrail allow you to evaluate and document the types of personal data currently processed, the purpose for which that data is collected, practices used to share that data internally or externally, and controls currently in use to safeguard access to data environments.

Common Triggers

Taking cues from the Securities and Exchange Commission (SEC), one of a number of US federal agencies required to conduct Privacy Impact Assessments under the E-Government Act of 2002, you should complete a Privacy Impact Assessment if you are:

• Optimizing or implementing new technologies, processes, or systems to handle personal data
• Modifying a system currently in use to process personal data
• Implementing a new method to collect personal data from more than 10 persons
• Expanding business operations internationally

You may not be required to complete a PIA for each system or process within your tech stack nor would it be meaningful if you are assessing a business process, project or opportunity. Nevertheless, you will need to gather as much factual information as possible about the activity and any relevant technologies that may be involved.

There may also be specific instances where a Privacy Impact Assessment is not strictly required but recommended as a matter of best practice. It’s always best to consult a designated Privacy Officer under these circumstances—a decision to not document a PIA may also need to be documented.

Further reading

To better understand approaching risk assessments within and beyond DataGrail, we recommend these resources:

• Risk Management with DPIAs: More details on operationalizing your DPIA
• The DPIA vs PIA Explained: Learn more about the purpose and function of different types of assessments
• 2 Ways You Can Streamline Your PIAs: Guidance on completing PIAs more efficiently