No one likes to feel like big brother is spying on them, but they sure do love the conveniences of modern technology.
Some would say these two factors go hand in hand and that to have modern conveniences, you must sacrifice some of your privacy. So let’s debunk that myth.
The data privacy risk assessment is your organization’s most powerful tool in combating data theft and protecting your customers and data assets.
Join us in the article as we discuss what a data privacy risk assessment is and how it can help your organization while also contributing to a more privacy-conscious security environment.
What is A Data Privacy Risk Assessment
Data privacy risk assessments are becoming commonplace in general risk management frameworks. A privacy risk assessment’s basic premise is to calculate the risk in holding personally identifiable information (PII).
Later on, we will explore a privacy risk assessment’s general workings in more detail, but first, we must understand what privacy risk is.
The National Institute of Standards and Technology (NIST) describes privacy risks as problems individuals could experience due to PII exposure. The exposure, of course, is caused by the data controller or data processor.
What kind of problems? It could be anything from:
- Discrimination or reputational harm due to the exposure of PII
- Embarrassment or loss of dignity
- Economic or financial loss
- Physical harm
This risk to individuals’ privacy is what the risk assessment will be trying to evaluate and mitigate. Like the GDPR, some regulatory frameworks take it one step further and assume that privacy risks also include anything that jeopardizes the natural persons’ rights and freedoms, outlined in the first part of the GDPR.
The CCPA, another privacy-based regulation, also states the need for a risk-based approach to privacy.
Both regulations state the need for an organizational privacy risk framework. Unfortunately, none give the organization the tools or template to carry one out but fear not; we have you covered.
Understanding Why You Collect Personal Data
Before really fleshing out the privacy risk assessment, you will want to understand if:
- You will even require one
- And why you need one
You will require an assessment regularly if you process any degree of PII.
Why you need one is a more complicated question, but it starts with understanding why you collect PII in the first place.
Today’s data-driven economies have seen an explosion in the information systems of businesses. It seems impossible to get anything done on the internet without inputting some PII into a registration form.
For example, take any software-as-a-service model. They’re going to need your credit card information, birthday, address, and your firstborn. Well, maybe not the last one, but it’s still a lot of information. Which sometimes may seem unnecessary compared to what you are getting in return.
The sad truth is businesses that operate online can not escape this reality. With KYC requirements, tax needs, and other regulatory factors, they must do this “paperwork.”
Depending on the industry, the requirements and collection may need more or less PII; here are some reasons as to why PII needs to be collected:
- PII for Marketing Campaigns
- Processing shipping details
- KYC for financial services and fintech
- Use of SaaS and account creation
- Gaming industry; games-as-a-services
- Credit card payments
- Tax information (freelance platforms, for freelancers)
Of course, the list is not exhaustive, and you can build a picture in your mind about the many reasons businesses might require PII.
Lastly, it is also true that some businesses go beyond reasonable means of collection necessary for business operations. And this excessive collection could pose a more significant threat to your organization. The risks end up multiplying and could far outweigh any possible benefits.
If you feel like you need to revise your data collection strategy and use a cyber health checkup, don’t hesitate to contact a specialist.
Know What You Are Protecting
Once you know why you are collecting the PII, you can begin to analyze and understand what you are protecting.
Collecting PII means that you are now under the control of a susceptible asset, great for your bottom line, not so great if breached.
As mentioned prior, knowing the reasons for collection could mean taking a leaner approach and stripping away and “identifiers” that are unnecessary. Identifies are strings of data that, if found, could lead to the identification of an individual, which would pose a privacy risk to them, outlined earlier in the article.
So, what kind of data are you protecting: depending on why you are collecting it could be:
- IP addresses
- Login Credentials
- Financial info
- Medical records
- Location data
- Other Identifiers such as:
- Residency cards
These all have perceived value in different markets, both in black markets and legitimate data markets. Medical records and financial data are considered some of the more valuable data sets, which is why you will often see these classified as extremely sensitive or high privacy risks.
Now that you have a better understanding of why you are collecting PII and what data sets you are protecting, you can begin to build a risk assessment around that.
The Privacy Risk Assessment Framework
A privacy risk assessment framework follows a similar pattern to any standard risk assessment, with some minor changes.
Essentially, you are:
- Identifying the risks to your data subjects, customers, staff, etc. privacy
- Sensitivity scaling: organization of data into categories of sensitivity in accordance to the risk factors (more on risk factors in the next section)
- Apply safeguards: mitigating the privacy risks.
A simple and widely applicable framework; you might have more stringent requirements depending on the industry and the regulations that may govern those industries. But the principles in this framework are a great starting point.
Let’s explore each step in a bit more detail.
Identify Privacy Risks
As the name suggests, this step of the assessment requires your organization to identify the risks to your data subjects’ privacy if a breach were to occur.
Let’s use the example of Faux Industry, LTD. They are a company that provides software-as-a-service (SaaS), and its software is an accounting application helping businesses in bookkeeping.
The kind of PII they collect and process are:
- User account which includes
- Credit Card Information
- Tax information: like Social Security Numbers and VAT numbers etc
Faux Industry, LTD would then need to identify the risk to their users’ privacy and any loss of integrity or availability of that data.
Privacy Risks would include but not limited to:
- Leaked Social Security Numbers (SSN), which then leads to Identity theft
- Economic loss due to stolen credit card information
Now that they have identified some of the privacy risks and mapped the data collection type, they can analyze the risk factors.
The risk factors are the:
- Likelihood of risk occurring.
- Vulnerabilities in the information system
- Threats to the information system
- Impact on the data subjects
In combination, you can create some scaling methods. For example, from zero to one, zero being low risk and one being extreme.
The sensitivity scaling becomes a function of the risk factors against the risk. For example, suppose the risk factors are high, i.e., high likelihood of an increased number of vulnerabilities in the IS, many known threats that can exploit the vulnerability, and a high impact on the individual’s privacy. In that case, that data grouping is of grave concern.
You will usually have a varying degree of risk across each factor and data sets in a more realistic risk assessment. It is up to your organization to understand the sensitivity of the data and the risk factor quotient.
Once you have those two values, you can categorize them into different tiers. The tiers will range from low sensitivity and risk, high sensitivity and risk, and all combinations in between.
Once you have the sensitivity scaling, you understand where you should focus your organizational resources. The objective here is to apply technical safeguards and organizational safeguards that will mitigate the risks to privacy.
For example, it will be a waste to allocate resources to mitigate risks in the low sensitivity and low-risk factor category.
The low likelihood of a breach may mean that any resources used to mitigate the risk are considered a waste of time and money by upper management.
Your organization should be focusing on mitigating risks to susceptible categories of data, even if the likelihood is low. Low probability does not necessarily mean low impact.
Things can get tricky here. Fundamentally, it comes down to the willingness to protect. In the above example, low likelihood could fall within the organization’s tolerance threshold, and the final decision is to ignore the risk.
However, this is dependent on the organization itself; and is a mix of:
- The company’s culture
- Their adversity to risk
- Attitudes the decision-makers have toward risk
- Budgetary constraints
If you cannot decide on resource allocation, then the risk assessment will be the best way to make the case.
Benefits to Privacy Risk Assessments
A privacy risk assessment is a great management tool and should be used as such. Compliance aside, a privacy risk assessment, and risk assessments in general, are excellent at:
- Improving the organizational decision-making process.
- Assists in other parts of regulatory compliance (such as DPIA’s in the GDPR)
- Vulnerability discovery by assessing gaps in the people part of the information system.
- Promotion of lean data storage in the organization.. The risk assessment helps you recognize excessive storage of personal data, which can increase the individual’s risk. Rectifying this reduces costs and strips the “fat” in the information system.
These elements are often overlooked when organizations are required to carry out a privacy risk assessment. But the reality is that privacy risk assessments offer so much more when it comes to the organization’s IT and data protection strategy.
Leverage the added benefit, and look beyond the compliance requirements.
Conclusion and Recap
The data protection regulatory landscape is not looking to slow down any time soon. Businesses, governments, and special interest groups seem to be playing a game of catch-up in the security environment.
However, your organization can use some low-cost and straightforward tools to stay one step ahead.
The data privacy risk assessment is one of those tools. The best part is that you can get started right away.
Having an active data protection strategy will involve a risk assessment. In this article, we discussed:
- The basic principles of a data risk privacy assessment
- Identifying the PII the organization collects
- Identifying Privacy Risks
- Examining Risk Factors
- Scaling the Sensitivity
- Applying Mitigations
- Examining the cases where you will need a privacy risk assessment
- The benefits to using a data privacy risk assessment
There will be cases where your organization will be required to carry out a privacy risk assessment. But you must look beyond any regulatory requirement and see the real value-added benefits to privacy risk assessments discussed in this article.
If you are struggling to keep up with your industry’s security requirements or need assistance in conducting a data privacy risk assessment, Contact RSI Security today.