The Top 5 Traps with Assessments

Our lovely new Assessments module launched in February 2025. Assessments have always been in Keepabl – prompted, linked, uploaded and reported on – now you can carry out the Assessment itself in Keepabl – and it is amazing!

Do ask for a demo to see how we solve your Assessment process nightmares!

Talking of which, we put together a Keepabl video on the 4 main Privacy Assessments!

The video: Top 5 Traps with Assessments

This video focusses on our findings on the top 4 Privacy Assessments:

1. Threshold Assessments (or Threshold PIAs),
2. DPIAs,
3. LIAs, and
4. TIAs.

We run through:

1. how often people do them,
2. how they do them,
3. how this correlates to the IAPP’s findings in its excellent Privacy Governance Report 2024,
4. the Top 5 Traps with Assessments, and
5. how to solve them.

Here it is:

Transcription

Hi! I’m Robert from Keepabl and, in this short video, I’ll give you the highlights from our year-long Roadmapper exercise on Assessments. We’ll focus on DPIAs, LIAs, and TIAs, starting with how many people do of each and how they do them, so you can benchmark yourselves there too.

And stick with us as we’ll lay out the Top 5 Traps to avoid.

So, what did we find out?

Top Line

Well, the top line is your assessments themselves may well be fine. You’ll have used a good template and iterated them over time. What causes all the issues, what drives those difficulties in getting them actually done, is the process.

Now, stick with us as we’ll set out the 5 biggest issues with this and how to solve them. But first, let’s look at the context – how many assessments people are doing, how they’re doing them – and let’s start with DPIAs.

Impact Assessments

Of course, the DPIA under GDPR is different from the DPIA in Singapore, for example, or the PIAs in Canada and Australia, or the risk assessments in California, etc, etc. There’s so many different ones around, but they all assess the impact on the individual from your processing their data. So, we’ll call them all Impact Assessments.

Now, we found that Impact Assessments, and GDPR’s DPIA in particular, are carried out the most – by far. And that’s not surprising because the DPIA is the only one specifically required by GDPR itself – and our conversations were mostly in the UK and Europe.

We also found a very high rate of voluntary DPIAs, particularly in large organisations and groups – they’re often done per project, or per vendor, as a great tool to drive focus, head off issues, identify rewards, and get the right people talking.

We also saw a common variation on this, where organisations instead enforce carrying out Threshold Assessments in the same way, which logically reduces how many DPIAs you end up carrying out.

In terms of how they’re carried out, Impact Assessments are also the ones much more often led by a non Privacy pro – the Product Manager, or the Marketing Manager, for example, who would bring in colleagues from IT, Security, Legal, or Privacy as needed.

Right next, Legitimate Interests.

LIAs

We found that LIAs are very much focused on higher-risk processing with a sharp tail-off outside that range. Again, this makes a lot of sense because GDPR is a risk-based law, and indeed DPOs are specifically tasked in GDPR with tackling high-risk processing first.

Now, in terms of how they’re done, LIAs are more balanced with many led by Business Process Owners and many led by the Privacy Pro though, whichever way round it is, Privacy teams have a big hand in these assessments which, again, is not surprising given the content.

Now, let’s look at Transfers.

TIAs

TIAs are particularly interesting because we found a decent number of organisations deliberately restricting transfers to countries with an adequacy decision under GDPR, so that no TIA is needed. And not just small organisations, some pretty large groups too. Of course, that doesn’t work for everybody.

Now, we did find that TIAs are rarer in smaller organisations. Maybe it’s because TIAs just are very difficult. Maybe it’s the cost of external advice and the budget needed. Maybe it’s because they have fewer transfers and have fewer suppliers. We didn’t get into that level of detail, but it’s clear that larger organisations, or groups, made much more use of external advisors, particularly on the laws and practices of third countries. And that makes sense. They’ve got much more budget.

And in terms of how they’re done, it’s the opposite to DPIAs. They’re almost always done by the Privacy pro with input from the internal or external Legal or Privacy advisory, which again makes sense given their nature.

So, that’s our qualitative study. How about some statistical facts?

Let’s look at the IAPP Privacy Governance Report from 2024.

IAPP Privacy Governance Report from 2024

This is a really good report, the Governance Report from 2024, and it includes reports on the average number of Privacy actions per organisation in 2023, including assessments.

So, here’s what the IAPP found, and you can see that European organisations carried out about 3 times the number of Impact Assessments compared to North America and about 6 times the Transfer Assessments. This makes sense given the laws in each region.

Just to note, LIAs aren’t covered in the survey results.

Now, these are all large numbers, but the IAPP study helpfully breaks them down by organisation size, based on the total number of employees. And we’ve included the overall average there, so you can see just how skewed they are by the large numbers that the largest enterprises carry out.

So, if we focus on that middle section, 1,000 to 25,000 head count, the numbers probably have a much more familiar ring to most people. You’re doing between around about 170 Impact Assessments to about 310, and that’s every year. So, you’re going to be building up that file library.

Now, even if you are from a 100 to a 1,000 head count, you’re still doing 25 Impact Assessments a year. So, then that’s going to be 50 after year two, et cetera. This really drives home the importance of having a great management system in place for your Privacy, and one that really is focused on the process to make it as human and doable as possible.

Right, back to our Roadmapper process and the Top 5 Traps we were told about to avoid in your assessments process.

Top 5 Traps with Assessments

Now, while our Roadmapper discussions were mostly in the UK and Europe, we believe these Traps and the related solutions will likely speak to you wherever you are.

First up, it’s a Noisy Library.

#1 Noisy Library

You’ve probably got a template DPIA, LIA, TIA, as well as all your other ones. As you release new versions, these are just going to get busier and busier. So, which is the last template to use?

It’s a real problem for people.

#2 Version Control

And our 2nd Trap, Version Control.

You start off with something that’s not bad. You iterate it and tailor it for your organisation, until you’ve got a golden one, but then you find people are still using old versions either because of that Noisy Library or because they’ve just copied an old assessment and started afresh from there.

#3 Switching

Trap #3: Switching, if you go from v1 to v2, you’ve got all these v1s out there. You bring in v2 and it can kill all in-flight assessments on v1, which is not what you want to happen.

#4 Double Counting

And Double Counting is our 4th Trap.

You do the same, say, DPIA on cloud hosting every year for four years. Do you have four or do you have one? I’d say you’ve probably got one DPIA on your cloud hosting, you’ve just done it each year.

#5 Getting it Done!

So, Trap #5, Getting it Done

Your document, as I said, is probably not bad. And, in that balance of usability and detail, it’s going to be the process. You can only dumb down an assessment so far before it’s worthless. It has to have a certain level of detail, which puts a lot of the pressure on your process.

So, what are the solutions?

Solutions

Well, #1: have a really clean template library. Make sure you’ve only got the ones in there that you want people to use.

#2: prevent the use of legacy templates. And this is hard. Not only having a clean template library will help, but how do you stop people picking up an old assessment and just copying it to use again?

And #3: you want to be able to allow completion of in-flight assessments when you go from, say, v1 to v2 or v2 to v3. You don’t want to kill off those in-flight ones. But then that feeds in again, how do you prevent use of those legacy templates going forwards?

All of this means you’ve got to have accurate, transparent counts, the number of assessments you are actually using.

And the big one, a human, easy process. Look at it from the side of your users. Where might they pick up a template from? How do you make sure you nudge them in the right direction? And how do you make sure that process is as easy for them as possible.

So, you can look to try and implement these in a shared drive situation or find the right solution or software to manage it. As you can see, it’s worth that investment given the number of Privacy actions, and that’s even without talking about Data Subject Rights and Breaches.

Keepabl’s awesome Assessments

Well, after that year-long Roadmapper exercise, and over three months handing it from Product to Engineering, all of these solutions are in Keepabl’s assessment module!

• Really clean template library.
• Really easy way to stop people using legacy templates.
• Really easy way to change versions and allow in-flight assessments to continue.
• Real transparency in how many you’ve got going.
• Super simple signing process with freezing and unfreezing.
• And Template Builder, so you can build your own.

So, do please come and contact us at hello@keepabl.com, or come through our website. We’d love to show it to you. Take a demo and have a two-week free trial. 

Look forward to speaking to you soon. And in the meantime, I hope this video has been a lot of help.