What is Privacy Risk Management?
Privacy risk is the potential loss of control over personal information. Personally identifiable information (PII) refers to any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information1. As an example, a user’s IP address is not classified as PII, but it is considered linked PII because it is linkable to an individual. Managing privacy risk is a critical task for businesses, as privacy risks are related to other organizational risks such as operational and reputational risks. The following steps can assist in creating a privacy risk management program2:
Context establishment. Define the scope to which the privacy risk management will apply. If applied to data privacy, the scope could be records of processing activity. The context, then, might include drivers of an organization for the protection of personal datal such as individuals’ privacy, meeting legal and regulatory requirements, practicing corporate responsibility, enhancing customer trust, etc. To establish context criteria will need to be developed for risk evaluation, risk impact, and risk acceptance.
Risk identification. The purpose of risk identification is to determine what could happen to cause a potential loss to an organization’s assets and to gain insight into how, where, and why the loss might happen. Steps needed for risk identification include identification of assets, threats, existing controls, vulnerabilities, and consequences.
Risk analysis. In information security, risks are viewed with respect to potential damage to the organization and its assets. In data privacy, the levels of risk will depend on impacts on natural persons (data subjects who can be directly or indirectly identified through PII). The purpose of risk analysis is to assign levels of risk and their associated consequences and likelihood levels.
Risk evaluation. Levels of all risks will be compared against risk evaluation criteria and risk acceptance criteria, which have been developed during the context establishment phase. In information security, risk acceptance criteria provide instructions about who is authorized to accept specific levels of risk and under what conditions. In data privacy, risk evaluation will need to assess privacy risks with regard to individuals’ rights and freedoms.
Risk treatment. Available options to treat privacy risks include risk acceptance, risk mitigation, risk transfer, and risk avoidance. Measures for privacy risk treatment might include pseudonymization, encryption, or anonymization.
Risk communication and consultation. Risks need to be shared between decision-makers and other stakeholders regarding the risk existence, nature, form, likelihood, severity, treatment, and acceptability.
Risk monitoring and review. Risks need to be constantly monitored to detect changes.
1 AICPA, 2023, “Privacy Risk Management”
2 DataPrivacyManager.net, 2020, “7 Steps in Privacy Risk Management”