Background

Privacy assessments such as Legitimate Interest Assessment (LIA), Data Protection Impact Assessment (DPIA), Technology Impact Assessment (TIA), and Privacy Impact Assessment (PIA) are required by law in various jurisdictions and are conducted to ensure compliance with privacy laws, manage privacy risks, and protect individuals' privacy rights. TerraTrue enables organizations to complete assessments through their privacy review workflows to document transparency and accountability in data processing practices and ensure compliance with privacy laws. This can help prevent data breaches and other privacy incidents.

Issues with TerraTrue assessment flexibility

From discovery with several rounds of user interviews with our large clients, we learned that a majority of current customers largely complete this important step to ensure privacy compliance outside of TerraTrue. In addition, several sales prospectives provided feedback that the assessments are too static and doesn't fit with their organization's framework and requested that we make the assessments fit their various needs before engaging with TerraTrue.

In order to understand the pain points with our current assessment, we interviewed 8 large client privacy program teams who used our privacy solution and mapped out all the various areas of the privacy review journey to map out the problems of completing an assessment within TerraTrue.

The major insight found was that TerraTrue’s assessments is fixed and inflexible. The inflexible template did not allow for the user to enter in questions required for the business to address business policy related privacy guidance or provide required narratives about various risk balancing or hide or remove any questions that was not required by their organizations. In addition, many orgs used specific terminology that did not align with the pre-set assessment terminology which caused the users to rework on a separate document after exporting the assessment to fit their needs.

Another major pain point was that assessments are triggered in the privacy worksheet was too much and too granular. TerraTrue's assessment triggers were based on legacy logic from user input in the data spec and privacy worksheet broken into granular "N"th data use and data types combinations. Users from various privacy program echoed that they found it confusing why so many assessments are triggered. We learned that privacy programs typically conducted assessments less on individual data uses and data type combinations but rather a group of related processing activities. Due to the granularity of the triggered assessments, many users conducted assessments outside of TerraTrue.

How might we make privacy assessments within TerraTrue flexible enough to meet the needs of various privacy programs and meet the needs of the evolving privacy requirements?

Challenges with legacy logic

The TerraTrue Assessments were one of our long untouched legacy applications, built by developers with no design input. Over the years the backend logic was unchanged, causing the framework to be highly un-flexible with a lot of developmental constraints. I was tasked with redesigning and phasing out a flexible assessment framework. The project was too large to take upon in a single quarter. The project was broken down into manageable phases to address the biggest pain points of users and update the foundational areas of the assessment framework. Collaboration with the product manager and engineering partners ensured feasibility and timely implementation of the roadmap.

Phase 1:

Allowing assessments to be optional and showing triggers

Phase 2:

Allowing the addition of assessments outside of the privacy worksheet

Phase 3:

Consolidating workflow builders into a single section to further include Privacy Assessments page

Phase 4:

Allowing for the assessment to edit to use the builder

Phase 5:

Creation of multiple assessments from a baseline template + Trigger Definition

Phase 6:

New narrative style assessment templates - Narrative style + TIA

Phase 7:

Exporting assessment upgrade (.CSV, .PDF)

Current and future work includes:

• Phase 8: Linking the same assessments across multiple launches - IN PROGRESS

• Phase 9: Ability to add multiple data uses and data types over time for a single assessment - UPCOMING

• Phase 10: Ability to remind user of re-assessment + Completing a new version for reassessments - UPCOMING

• Phase ∞: And of course, continuous testing, validation, and iteration in addition to the incremental flexibility enhancing feature phases

By taking a phased approach to redesigning the assessment framework, TerraTrue is addressing the flexibility needs of various privacy programs. Continuous improvement and iteration will ensure that TerraTrue remains adaptable to evolving privacy requirements, helping organizations protect individuals' privacy and comply with relevant laws.