Background: ** The Privacy Impact Assessment (PIA) process helps the Red Hat Global Privacy Program identify and mitigate privacy risks associated with processing personal data through Red Hat's vendors, applications, systems, products, services, or business processes.  Many global privacy laws including GDPR (EU), CCPA (California), LGPD (Brazil), and PIPL (China) require evidence that systems and business processes have undergone a Privacy Impact Assessment. 

Do I have to submit a PA?

A PIA should be submitted any time you are building, launching or onboarding an application, system, product, service, business process, or third-party vendor. The processing of personal data  may lead to additional privacy implications. The PIA should be submitted as soon as reasonably possible once the project is scoped and understood well enough to communicate the goals, objectives and functionality and answer questions to help assess risk. 

How do I submit a PIA?

Step 1: A CMDB entry is now a pre-requisite to completing a PIA. Create a CMDB Entry here

Step 2: Once your CMDB record has been approved, the ServiceNow system will auto-generate a Privacy Impact Assessment Survey for you. You will be notified via email once the PIA Survey has been generated. You can click on the link in the email to access the PIA Survey and click on “Get Started” or go to[ help.redhat.com|http://help.redhat.com/] click on “View Existing” (in the top right corner) and select “Surveys and Assessments”. You will find the Privacy Impact Assessment Survey ready for you to take under “Open” Assessments

Step 3: Once you have completed and submitted the PIA, it will be reviewed and a set of findings and recommendations identified and assigned to you. PIAs are generally assigned to a reviewer within 10 business days. The PIA reviewer will reach out if they require clarification on the details submitted in the assessment. Depending on the use case and level of complexity, the review may take 2-3 weeks or more. 

Step 4: Review the actions and make a plan to remediate these. Note: Your Privacy Impact Assessment is not considered completed until you have remediated ALL Issues. Once all issues have been resolved, the assessment will indicate an ‘Approved’ status. Find out more about the remediation process here

When is my PIA considered complete?

Your PIA is done when it is signed off as ‘Approved’  by Data Security Privacy Team 

Responsible: Engineering  

Consulted: Product Management, Program Management

Dependencies: Product Security onboarding (Tier 1 Readiness), SRE onboarding and Infosec may also call out the requirement for completing a PIA. 

Do we have examples? : A list of completed PIAs can be found in the PIA Hub.  More information on the process for submitting a PIA and relevant training material is available on the source here

How to get help: PIA Office Hours, pia@redhat.com, Managed Services CoP GChat