In my last webinar about privacy impact assessments, there were some questions about risk and how to rank it. There are several ways to determine risk rankings as well as what a risk actually is. Most important is experience with various situations and in a number of different verticals in order to understand what risks are commonly present there.
What is Risk?
The first place I always look is the law. After all, when I provide expertise for clients, I am focused on compliance and aligning privacy with business goals. It stands to reason that to comply with something you should first understand that something.
Let’s look to the GDPR for more information. Recital 75 is the key reference we are using in this case, since it provides details on what risk may be as it applies to the EU privacy law. Examples from this recital include discrimination, identity theft or other kinds of fraud, financial or reputational damage, or a loss of confidentiality. Overall, we are talking about the possibility of harms or damages that are “physical, material, and non-material” as described in the law.
So risk is the possibility or potential of harm to a data subject or the organization.
What’s the worst that could happen?
Now that we know what risk is, or at least have a definition to work from, we need to identify risks based on that definition. Think, based on those risks, what the worst possible outcome could be for a proposed processing activity. Could it be a data breach? A violation of the law? A contractual violation? Now, what is the possibility of those things happening? You now have a baseline for possible risk.
If a risk seems entirely ridiculous—unlikely to the point of being equivalent to winning the lottery while being struck by lightning—you may ignore it because we want to focus on likelihood. However, if there is a chance of something happening, such as a breach, you must then prepare for it.
So what risks are there?
There are many examples of risk, so to illustrate what you might see, I have listed some here, but this list is not exhaustive.
- A data breach (this applies to everyone)
- Inappropriate use of information (lack of consent/legal basis, not legally allowed, etc..)
- Lack of access controls
- Lack of training for personnel
- Processing sensitive information such as government IDs (these are significantly higher risk)
- Overcollection of information
- Ill-defined retention periods
- Lack of security controls
- Use of third-parties
- Lack of contracts or contractual controls
Once risks are identified, you then need to identify a score or ranking for those risks. Because there are again a number of factors to consider, again you are relying on experience or existing precedent to make decisions. There are many ways to score risk, which may vary depending on your organization, but I look at three aspects of the risk: (1) the impact of the risk;(2) the chance or likelihood of that risk occurring; and (3) the level of effort to address that risk. Number three is more important when determining mitigations or other measures to address the risk later.
How you actually rank those risks, whether it is using verbiage like “high to low” or “on a scale from 1 to 5,” is up to you. Of primary importance is that you and your team can understand and effectively use this scale or system to address risk. This means you must be able to determine know what makes something “high” risk or “low” risk or what the 1 to 5 scale means. A good place to start would be “what does a risk rank of 1 look like? What about a 5?”.
Additionally, you will want to break risk into its component parts. For example, a specific processing activity may be high risk because it uses particular types of information. The processing itself isn’t high risk, but the information being used is and you should note that.
Now that you have a way of measuring risk and a way of understanding those risks from your organization’s standpoint, you are ready to start mitigating risks. You may already have measures to avoid or mitigate risk in place as a best practice or from a previous project. You will also want to continue tracking those risks that are mitigated in order to determine the effectiveness of those mitigations. Remember as well that risks do not need to be absolutely mitigated, only brought within acceptable levels of risk. If mitigations are still needed however, you can use your risk rankings and knowledge to evolve more ways to remove risk from the processing activity.