Threshold assessment
The potential for business processes to expose the rights and freedoms of natural persons to risk is great. Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA) assess the risks to the rights and freedoms of data subjects, born of a specific business process.
After onboarding a Business Process asset, a Threshold assessment helps you determine whether or not a PIA or DPIA is needed. If it is determined that an assessment is necessary, the Owner or Business Steward for the Business Process asset will have to complete the relevant assessment:
- PIA, if complying with CCPA.
- DPIA, if complying with GDPR.
Note The Threshold assessment is not mandatory. It is designed to help you determine whether or not a PIA or DPIA is necessary. If, by chance, your organization determines that it wants a PIA or DPIA to be run for all Business Process assets, a Threshold assessment is not necessary.
Requirements
In this assessment, three types of questions are asked:
| Question type | Description |
|---|---|
| Hard application |
If the user answers "Yes" to a hard application question, a PIA or DPIA is required for the Business Process asset, regardless of the answers to the soft application and hard exception questions. |
| Soft application |
If the user answers "No" to the hard application questions, but 'Yes' to two or more soft application questions, a PIA or DPIA is required for the Business Process asset. However, if you answer "Yes" to just one soft application question, it is in your best interest to complete a PIA or DPIA. |
| Hard exception |
Hard exception questions have no real bearing on whether or not a PIA or DPIA is required. Answering "Yes" to a hard exception question is an indication that a PIA or DPIA might not be necessary. |
Tip In general, if you have any doubt as to whether or not PIA or DPIA is necessary, we strongly recommend that you conduct the applicable assessment.