7 steps in Privacy Risk Management

What is Risk management

According to one of the globally accepted and very well established information security frameworks ISO 27000:

Risk management is a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

This requires some additional explanation, so let us break the process down to its constituent steps:

✅Establishing the context
✅Risk identification
✅Risk analysis
✅Risk evaluation
✅ Risk treatment
✅Risk communication and consultation
✅Risk monitoring and review

Risk identification, risk analysis, and risk evaluation are collectively referred to as risk assessment, a sub-process of the overall risk management process.

The following diagram shows risk management process:

1.Context establishment

To establish the context means to define the scope to which the risk management will apply.

In information security, this involves setting the basic criteria for information security risk management, defining the scope and boundaries, and establishing an appropriate organizational structure operating the information security risk management.

If you apply it to data privacy, the scope would be records of processing activity, as this is what the nature, scope, context and purposes of processing denotes, as per the narrative from GDPR,  Article 32.

The context might also take into account drivers of an organization for the protection of data subjects’ personal data, such as protection of individuals’ privacy, meeting legal and regulatory requirements, practicing corporate responsibility, enhancing consumer trust, etc.

During the context establishment phase, you will need to develop the following criteria:
✅risk evaluation criteria – used to evaluate the criticality of the assets involved
✅risk impact criteria – used to describe the degree of damage caused by an incident
✅risk acceptance criteria – used to decide whether a risk is already at an acceptable level

In information security risk management there is much more to consider in defining each of the above criteria.

For example, to determine impact criteria, your organization might want to consider, classification level of the impacted information asset, impaired operations, loss of business and financial value, breaches of requirements (legal, regulatory or contractual), and more.

The situation is somewhat simpler in data privacy risk management as risks are always observed from the perspective of individuals, as risks to their rights and freedoms.

In data privacy risk management, the impacted asset would be personal data, and its classification level would be higher or lower depending on whether personal data is a special category data.

Loss of business and financial value would not make much sense in the context of individuals’ rights and freedoms, and the same is true for other considerations from information security risk management.

Finally, some additional organizational aspects of risk management need to be considered, the most important being naming the stakeholders, definition of roles and responsibilities, and specification of records to be kept.

2.Risk identification

The purpose of risk identification in information security is to determine what could happen to cause a potential loss to an organization’s assets and to gain insight into how, where, and why the loss might happen.

In order to do this, several sub-steps need to be performed:

✅Identification of assets
✅Identification of threats
✅Identification of existing controls
✅Identification of vulnerabilities
✅Identification of consequences

You can find out more about each of the sub-steps in Privacy Risk Management white paper:

These steps will collect input data for the risk analysis, which follows the identification of risks.

3.Risk analysis

In information security risks are viewed with respect to potential damage to the organization and its assets, both tangible and intangible.

While it is possible to build upon this approach, in data privacy, the levels of risk will depend on its impact on natural persons. This is why their perspective has to be considered in the first place.

The meaning of likelihood in information security denotes the chance of something happening (typically a threat exploiting a weakness in a system), while the consequence is the outcome of such exploitation.

As risk assessment in information security is different from its counterpart in data privacy, it is obvious that these terms need to be modified for their use in data privacy.

Thus likelihood needs to expand to entail the possibility of something bad happening to personal data, while consequence will transform to the impact severity of the risk to the rights and freedoms of the data subject.

The purpose of risk analysis is to assign levels to risks. Risk level can be calculated as shown below:

The above “formula” is not a strict mathematical equation. Meaning, it does not calculate the risk level by multiplying likelihood and severity. It merely emphasizes that the risk level is a function of these two qualities.

Risk analysis methodology can be qualitative or quantitative. Some industries prefer qualitative analysis, while others prefer quantitative.

Oftentimes a combination of qualitative and quantitative analysis is used, e.g., semi-qualitative analysis. It is much less complex and less expensive to perform qualitative risk analysis.

Qualitative analysis uses a scale that describes the severity of potential consequences (e.g., insignificant, minor, medium, major, catastrophic) and the likelihood that those consequences will occur (e.g., rare, unlikely, probable, likely, certain).

It is typically used when numerical data are inadequate for quantitative analysis.

Quantitative analysis uses a scale with numerical values for both likelihood and consequences, using data from various, mostly historical sources.

Due to the nature of data privacy risks, where it would be very hard to actually calculate levels of risks, the use of a qualitative method is suggested.

In order to determine risk levels, use a risk assessment matrix. Matrix from Data Privacy Manager solution is shown below:

For each identified risk, its consequence and likelihood levels will be combined according to pre-agreed risk criteria and risk level will be determined.

In our example with 5×5 matrix, a risk that is probable (likelihood of occurrence) with major consequence severity results in a moderate risk level.

It should be noted that risk matrices of dimensions other than 5×5 are possible. The output of risk analysis will be a list with scores assigned to all risks.

4.Risk evaluation

The output from the risk analysis phase is then used as the input to risk evaluation.

Levels of all risks need to be compared against risk evaluation criteria and risk acceptance criteria, which have been developed during the context establishment phase.

In information security risk acceptance criteria provide instructions about who is authorized to accept specific levels of risk and under what conditions. The following tables provide examples of risk acceptance and evaluation criteria:

The output from risk evaluation will be the risk register, which is a list of risks prioritized according to risk evaluation criteria.

In data privacy, risk evaluation will need to be performed slightly differently, which also means that actions that will be taken will differ.

This is due to the fact that any risks to individuals’ rights and freedoms have their origin in the processing of personal data.

This, in turn, means that based on the outcome of the risk assessment, every processing activity will be marked as “go” or “no go” for processing.

Additional actions might be mandatory consultations with data protection authorities or even representatives of data subjects whose personal data are to be processed.

5.Risk treatment

This is probably one phase where it can get somewhat challenging when you want to leverage the risk management process as it is used in information security and apply it to the protection of personal data.

This is due to the fact that risks can be treated in several distinct ways in information security, depending on the risk appetite of the organization. Therefore, on the very extreme end, a risk can even be accepted if risk acceptance criteria allow it.

According to ISO 27005, which is informative (i.e., not mandatory) standard for information security risk management, all available options to treat risks are:

✅risk acceptance (retention)
✅risk mitigation (modification)
✅risk transfer (sharing)
✅risk avoidance

Contrary to this approach, the protection of personal data might leave you with fewer possibilities to choose from because risk consequences can be much more severe for the rights and freedoms of individuals.

While the GDPR is not specific about how risk treatment should be performed, it provides some useful hints as to what your organization needs to consider in its risk management process.

For example, it states that in order to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, account must be taken of state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk for the rights and freedoms of individuals.

In addition to usual technical and organizational measures that an organization will use to mitigate risks, there are also several more unorthodox controls at their disposal, which is why we’re mentioning them here.

1. Pseudonymization

The first such control is pseudonymization. This is a process that allows an organization to switch the original set of data (for example, data subject’s e-mail) with an alias or a pseudonym.

A particular pseudonym for each replaced data value makes the data record unidentifiable while remaining suitable for data processing and data analysis.

It should, however, be noted that this also makes it possible for the organization to perform a reverse process – the re-identification of the data. This is why pseudonymized data are always in the scope of the GDPR.

2. Encryption

The second control is encryption. Used for quite some time in information technology to preserve the secrecy of both data at rest and data in transit. It is based on sound mathematical algorithms that transform the original information into a random noise which can only be decrypted back if you have a decryption key. 

The crucial part of encryption is cryptographic key management, as it is the decryption keys that must be guarded against unauthorized access.

Those who obtain decryption keys have full access to encrypted data, while without the keys encrypted data are useless.

Encrypted data are in the scope of the GDPR most of the time. However, if it can be proved that someone with access to encrypted data (e.g., when a CD with encrypted data goes missing) does not have access to decryption keys, the data can be deemed out of scope.

This trait can be further used to render the data permanently out of scope by simply destroying the keys in a controlled manner.

3. Anonymization

Finally, there is anonymization, which is a technique used to irreversibly alter data so that the data subject to whom the data is related to can no longer be identified.

Anonymized data are not in the scope of the GDPR.

Whatever control or set of controls is used to mitigate privacy risks, be it traditional or the above described more novel ones, or even a combination of both groups, it is important to understand that there is always a residual risk.

In information security, an organization will compare residual risks to its own risk acceptance criteria in order to decide whether the treatment of the risk resulted in an acceptable level, and hence if it can be accepted.

In data privacy, we need to bear in mind that risks are viewed from the perspective of data subjects whose personal data are processed, which inevitably leads to a more conservative approach when it comes to risk acceptance.

Organizations will need to be very cautious about determining what level of risk is, and what is not, acceptable.

6.Risk communication and consultation

In information security information about risks needs to be shared between decision-makers and other stakeholders. Such information may include the existence, nature, form, likelihood, severity, treatment, and acceptability of risks.

Effective communication among stakeholders is important since this may have a significant impact on decisions that need to be made.

Communication will ensure that those responsible for implementing risk management, and those with a vested interest understand the basis on which decisions are made and why particular actions are required. Communication is bi-directional.

In data privacy, the communication about risks goes even beyond what is the practice in information security. This is due to the fact that in many instances, stakeholders comprise a larger population than it is the case in information security.

One example is when the processing of personal data would pose a high risk to rights and freedoms of data subjects (as identified during data protection impact assessment), putting the organization under obligation to consult with data protection authorities.

7.Risk monitoring and review

Risks are not static. Threats, vulnerabilities, likelihood or consequences may change suddenly and without indication.

Therefore, constant monitoring is necessary to detect these changes. This is performed by reviewing all risk factors to identify any changes early enough and to maintain an overview of the complete risk picture.

Data privacy also requires monitoring and review of risks, for example, Article 32(1) of the GDPR states:

“the controller and the processor shall implement […] a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Get more detailed look into the Privacy Risk Management and download our white paper: