What is Risk Management
According to one of the globally accepted and very well-established information security frameworks ISO 27000:
Risk management is a systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.
7 Steps in Privacy Risk Management
This requires some additional explanation, so let us break the process down into its constituent steps:
Risk identification, analysis, and evaluation are collectively referred to as risk assessment, a sub-process of the overall risk management process.
1. Context establishment
Defining the context means outlining specific areas where risk management will be applied.
In the context of information security, this includes setting the basic rules for managing risks, specifying the scope and limits, and organizing how information security risk management will function within the organization.
If we look at it from a data privacy perspective, the scope would be records of processing activity, as this aligns with the nature, scope, context, and purposes of processing.
It might also consider an organization’s drivers for protecting personal data, such as protecting individuals’ privacy, meeting legal and regulatory requirements, practicing corporate responsibility, and enhancing consumer trust.
During the context establishment phase, you will need to develop the following criteria:
- Risk evaluation criteria – used to evaluate the criticality of the assets involved
- Risk impact criteria – used to describe the degree of damage caused by an incident
- Risk acceptance criteria – used to decide whether a risk is already at an acceptable level
a) Establishing Context in Information Security
In information security risk management, there is much more to consider in defining each of the above criteria.
For example, to determine impact criteria, your organization might want to consider the classification level of the impacted information asset, impaired operations, loss of business and financial value, breaches of requirements (legal, regulatory, or contractual), and more.
The situation is somewhat simpler in data privacy risk management as risks are always observed from the perspective of individuals as risks to their rights and freedoms.
b) Establishing Context in Data Privacy
In data privacy risk management, the impacted asset would be personal data, and its classification level would be higher or lower depending on whether personal data is a special category of data.
Loss of business and financial value would not make much sense in the context of individuals’ rights and freedoms, and the same is true for other considerations from information security risk management.
Finally, some additional organizational aspects of risk management need to be considered, the most important being naming the stakeholders, defining roles and responsibilities, and specifying the records to be kept.
2. Risk identification
Risk identification in information security aims to determine what could cause a potential loss to an organization’s assets and gain insight into how, where, and why the loss might happen.
To do this, several sub-steps need to be performed:
- Identification of assets
- Identification of threats
- Identification of existing controls
- Identification of vulnerabilities
- Identification of consequences
You can find out more about each of the sub-steps in the Privacy Risk Management white paper:
3. Risk analysis
While it is possible to build upon this approach, in data privacy, the levels of risk will depend on its impact on natural persons. This is why their perspective has to be considered in the first place.
The meaning of likelihood in information security denotes the chance of something happening (typically a threat exploiting a weakness in a system), while the consequence is the outcome of such exploitation.
As risk assessment in information security is different from its counterpart in data privacy, it is obvious that these terms need to be modified for their use in data privacy.
Likelihood needs to expand to entail the possibility of something bad happening to personal data, while the consequence will transform into the impact severity of the risk to the rights and freedoms of the data subject.
The purpose of risk analysis is to assign levels to risks and can be calculated as shown below:
The above “formula” is not a strict mathematical equation. Meaning it does not calculate the risk level by multiplying likelihood and severity. It merely emphasizes that the risk level is a function of these two qualities.
In order to determine risk levels, use a risk assessment matrix. The matrix from the Data Privacy Manager solution is shown below:
For each identified risk, its consequence and likelihood levels will be combined according to pre-agreed risk criteria, and the risk level is determined.
In our example with a 5×5 matrix, a probable risk (likelihood of occurrence) with major consequence severity results in a moderate risk level.
4. Risk evaluation
The output from the risk analysis phase is then used as the input to risk evaluation.
Levels of all risks need to be compared against risk evaluation criteria and risk acceptance criteria, which have been developed during the context establishment phase.
In information security, risk acceptance criteria provide instructions about who is authorized to accept specific levels of risk and under what conditions. The following tables provide examples of risk acceptance and evaluation criteria:
The output from risk evaluation will be the risk register, a list of risks prioritized according to risk evaluation criteria.
In data privacy, risk evaluation will need to be performed slightly differently, which also means that actions that will be taken will differ.
This is because any risks to individuals’ rights and freedoms originate in the processing of personal data.
This, in turn, means that based on the risk assessment outcome, every processing activity will be marked as “go” or “no go” for processing.
Additional actions might be mandatory consultations with data protection authorities or even representatives of data subjects whose personal data is to be processed.
5. Risk treatment
This is probably one phase where it can get somewhat challenging when you want to leverage the risk management process as it is used in information security and apply it to the protection of personal data.
This is because risks can be treated in several distinct ways in information security, depending on the organization’s risk appetite. Therefore, on the extreme end, a risk can even be accepted if risk acceptance criteria allow it.
According to ISO 27005, which is an informative (i.e., not mandatory) standard for information security risk management, all available options to treat risks are:
- Risk acceptance (retention)
- Risk mitigation (modification)
- Risk transfer (sharing)
- Risk avoidance
Contrary to this approach, protecting personal data might leave you with fewer possibilities to choose from because risk consequences can be much more severe for the rights and freedoms of individuals.
While the GDPR is not specific about how risk treatment should be performed, it provides some useful hints as to what your organization needs to consider in its risk management process.
For example, it states that to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, account must be taken of state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk for the rights and freedoms of individuals.
In addition to the usual technical and organizational measures that an organization will use to mitigate risks, several more unorthodox controls are at their disposal.
6. Risk communication and consultation
In information security, information about risks needs to be shared between decision-makers and other stakeholders. Such information may include the existence, nature, form, likelihood, severity, treatment, and acceptability of risks.
Effective communication among stakeholders is important since this may significantly impact decisions.
Communication will ensure that those responsible for implementing risk management and those with a vested interest understand the basis on which decisions are made and why particular actions are required.
In data privacy, the communication about risks goes beyond information security. This is because, in many instances, stakeholders comprise a larger population than information security.
One example is when the processing of personal data would pose a high risk to the rights and freedoms of data subjects putting the organization under obligation to consult with data protection authorities.
7. Risk monitoring and review
Risks are not static. Threats, vulnerabilities, likelihood, or consequences may change suddenly and without indication.
Therefore, constant monitoring is necessary to detect these changes. This is performed by reviewing all risk factors to identify any changes early enough and to maintain an overview of the complete risk picture.
Risk Management in a few words
In conclusion, risk management serves as a systematic approach to navigating potential challenges within information security. This process involves meticulous steps, including context establishment, risk identification, analysis, evaluation, and treatment.
Notably, when applied to data privacy, the scope narrows to records of processing activity, aligning with the nature and context of personal data.
The unique considerations of data privacy, such as the impact on individuals’ rights and freedoms, necessitate a thoughtful adaptation of risk management practices.
The journey from risk identification to monitoring and review involves tailored steps to safeguard personal data, ensuring compliance with regulations like GDPR and fostering a secure digital landscape.