Updating a system that results in new privacy risks
As per the US Department of Homeland Security guidelines requires, any “updating a system that results in new privacy risks” must be accompanied by a conducted PIA. While PIA is like an umbrella and covers most areas of privacy protection, this function of PIA is similar to DPIA (GDPR’s Data Protection Impact Assessment), which is about ongoing processes and maintaining compliance since we are not collecting PII but trying to safely preserve the process and storage during and after the update. Anyhow, we are going to need to answer these questions in order to have a complete PIA:
- Description of the update.
- How will data be maintained during the update or be derived to the new version?
- How will derived data from the old version to the new version be checked for accuracy?
- The methods the new update is going to use the data.
- Is there any new data exposure or possible sharing due to this update?
- Will individuals be notified, or are they entitled to be notified about this update?
- Is there any retention procedure planned? If so, what is the retention period, and what is the verification methodology?