Privacy Assessments | Services | Venable LLP

Privacy Assessments

With experience across a wide range of sectors, Venable offers a variety of privacy program assessment services, from comprehensive, top-down review to narrowly defined and focused reporting. Our assessments provide a clear understanding of your organization’s strengths, areas for improvement, and marketplace position, so that you can optimize your privacy program for both the near and long term.

Assess - Respond - Connect

With a strong track record of implementing successful privacy programs, our team has a deep understanding of privacy maturity frameworks and models. In fact, many of our privacy team leaders developed the very frameworks that are now globally recognized standards. Regardless of your company’s size or maturity, Venable will partner with you to evaluate and help future-proof your privacy program. We also support business leadership in leveraging your privacy program as part of establishing a strategic data vision and robust governance models.

Developing a well-informed privacy strategy begins with understanding how effective your existing practices are. A comprehensive assessment of your privacy program is the starting point. It gives you a baseline against which to benchmark your privacy program with a maturity score. Assessment against a standardized framework allows you to document your organization’s progress and gives you a tool to measure your return on privacy investment, year over year. Our analysis and insights, targeted findings, tailored recommendations, and detailed roadmap produced by the assessment enable your organization to evaluate the effectiveness of your privacy practices.

We leverage internationally recognized standards to guide our assessments, including the following frameworks:

  • National Institute of Standards and Technology (NIST) Privacy Framework 
    The NIST Privacy Framework is a flexible, outcome-based tool that consists of five functions, which are further broken down into categories and detailed subcategories that describe programmatic needs and activities
  • American Institute of CPAs (AICPA) Privacy Management Framework
    The AICPA Framework (formerly the Generally Accepted Privacy Principles) comprises ten privacy dimensions that are based on fair information practices included in many privacy laws and regulations in various jurisdictions around the world

Drawing on prior experience partnering with clients in developing holistic privacy programs, we typically identify a framework that encompasses applicable legal obligations. A comprehensive privacy program assessment combines legal and consulting services that are protected by attorney-client privilege to the extent allowed by law.

When your organization is looking to address a specific requirement, risk, or area of concern, or you just need to evaluate compliance with specific data privacy laws and regulations, Venable is prepared to help you appraise your organization’s current privacy posture with an assessment focused on one or more selected legal requirements. These more narrowly scoped privacy assessments can be conducted individually, based on your specific needs, or done in combination with a more comprehensive privacy program evaluation, and are protected by attorney-client privilege to the extent allowed by law.

We offer:

  • Health Check – If your organization is a Covered Entity or a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) or is subject to other healthcare-related laws, Venable can perform a variety of assessments to determine your compliance with HIPAA security and privacy Rules, including performance of a Security Risk Assessment, as well as other requirements under law
  • Biometric Privacy Assessments – Venable can evaluate your organization’s biometric handling practices, policies, and procedures to determine the applicability of and compliance with a growing number of biometric privacy laws, such as the Illinois Biometric Information Privacy Act and multiple other state laws, as well as relevant FTC policy statements regarding handling of biometrics
  • Child and Teen Privacy – The Children’s Online Privacy Protection Act (COPPA) is more widely applicable than many organizations realize, and failure to comply is one of the leading causes of FTC consent decrees. State law requirements relating to teens and children are also evolving. By testing age gates and other child privacy procedures, as well as the “look and feel” of your websites and apps, this service helps mitigate potential claims related to COPPA compliance and other regulations and guidance relating to teens and children

Several U.S. states have now enacted data privacy laws, two of which have added lengthy regulations, creating yet another layer of requirements for your business. Until Congress passes a national, preemptive data privacy law, the market will only become more complex as additional state laws go into effect.

By deploying a rigorous consumer simulation and assessment, Venable can help your organization identify and remediate the most public-facing risk vectors before an attorney general or a regulator does it for you. Through active testing of the externally facing elements on your website(s) and app(s), our Customer View Assessment serves as a “secret shopper” review, intended to improve, or confirm, your compliance readiness. Following this testing, you will receive our assessment results and an actionable list of recommended remediations, protected by attorney-client privilege to the extent allowed by law.

In addition to testing your publicly accessible front-end disclosures and controls, Venable also offers a suite of back-end testing and analysis options that complement our front-end review, along with other complementary assessment offerings. These additional service offerings include:

  • Data Subject Right (DSR) Assessment: Test DSR request and response processes for access, deletion, correction, and opt-outs
  • Red Team Testing: Test the DSR process from start to finish, in the same way regulators, advocate groups, and consumers will experience their engagement with you
  • Testing Permissions and Notices for Sensitive Data: Test permission mechanisms and review notices related to the collection and processing of sensitive data
  • Transparency Analysis: Review public-facing notices such as permissions/setting screens, FAQ/Help notices, among others, for compliance with statutory requirements and consistency with the other processes tested, and compare benchmark notices with industry practice
  • Dark Patterns: Review consumer paths in websites and apps for potential “dark patterns” related to DSRs, consents, and other privacy requirements
  • Tech Check: Test cookies, pixels, tags, and other data collection and sharing technologies on your website/app to help identify practices or potential breakages that can lead to privacy enforcement or complaints
  • Third-Party Risk: Thorough risk assessment of your vendors, paired with contract review, can help ensure the appropriate processes and clauses are included to protect your organization’s personal data as you would, and as required by law
  • Testing Permissions and Notices for Sensitive Data: Test permission mechanisms and review notices related to the collection and processing of sensitive data
  • Transparency Analysis: Review public-facing notices such as permissions / setting screens, FAQ / Help notices, and others for compliance with statutory requirements and consistency with the other processes tested, and compare benchmark notices with industry practice
  • Dark Patterns: Review consumer paths in websites and apps for potential “dark patterns” related to DSRs, consents, and other privacy requirements
  • Tech Check: Test cookies, pixels, tags, and other data collection and sharing technologies on your website / app to help identify practices or potential breakages that can lead to privacy enforcement or complaints
  • Vendor Diligence: Thorough assessment of your vendors, paired with contract review, can help ensure the appropriate processes and clauses are included to protect your organization’s personal data as required by law and your organization’s policies

Many organizations find themselves with additional privacy compliance obligations stemming from new or legacy regulatory and legal actions. Whether from consumer litigation, a federal consent decree, or state attorney general action, these compliance obligations create additional burdens on your organization to stand ready to demonstrate your compliance or be subject to potential sanctions. Venable can assess and document your compliance posture to meet these reporting obligations. These assessments can be performed in combination with our other assessment offerings or as stand-alone services, as needed.

Explore our Privacy and Data Security services.