Privacy Impact Assessments/Analyses (PTAs) are an important aspect of privacy compliance documentation, but aren’t the only evaluations necessary for an organization.
Privacy teams also create PTAs to preemptively detect an organization’s PII use, which, if identified, would require subsequent PIAs.
Typical PTAs include the following information:
The purpose of the Privacy Threshold Analysis (PTA) is to help a company’s departments gauge their system’s information, and determine how to appropriately treat data that has been acquired by the organization.
PTAs primarily focus on two main areas:
Why do we need PTAs?
PTAs are useful for initiating communication and collaboration between a company’s departments, including: the CPO, information security officer, CIO, and even heads of the HR, marketing, IT, and operations teams.
It’s an effective tool that helps organizations analyze and record the potential privacy documentation requirements of corporate activities.
As recommended in National Institute of Standards and Technology (NIST) Special Publication 800-122:
“PTAs are used to determine if a system contains PII, whether a Privacy Impact Assessment is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. PTAs should be submitted to an organization’s privacy office for review and approval. PTAs are often comprised of simple questionnaires that are completed by the system owner.”