Following already long-standing development in the area of innovative technologies the benefits of the digital economy are rooted in personal data collections and flows through a complex data ecosystem. Given the complexity of the digital products, systems and services individuals might find it hard to get their heads around the consequences this innovative technologies and products can pose to their right to privacy and protection of their personal data. Likewise, organizations might not fully realize the extent of the consequences for individuals, society and their business. While some organizations might already have a robust privacy risk management, a common understanding of many aspects of this topic is still missing.
An improper privacy risk management can impact organizations brands (i.e., harm to reputation or internal culture), their bottom line, their turnover (i.e., non-compliance costs) and their future standing on the market (i.e., customer abandonment, investment opportunities).
Organizations could properly define their privacy risks and manage the impact at the enterprise risk management level where privacy risks can be included in the broader portfolio of risks. This should help driving a more consistent resource allocation agenda for privacy to strengthen the privacy program. The starting point for each organization in defining a suitable privacy risk standing is to understand the core of their privacy activities and outcomes, business mission drivers, data processing ecosystems, types of data, data processing and individual’s privacy needs. Privacy risk management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may pose privacy concerns for individuals and how to develop effective solutions to manage such risks.
Privacy risk assessments typically focus on the data life cycle, the stages of data processing activities, often characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. In general, privacy risk assessments can help organizations deciding upon the proportionality between the benefits of their data processing activities and their risks and to determine the appropriate response to such risks. An organization can decide to mitigate the risk, to transfer the risk, to avoid or accept the risk or a combination between all.
Privacy risk assessments are particularly important because, privacy is a complex concept that safeguards multiple values such as human autonomy and dignity, cultural diversity and individual differences. In a commercial related context privacy is one of the engines that fuels customers trust in the benefits of a product, including ethical treatment of personal data.
Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not a one-size-fits-all solution since organizations might have diverse privacy needs depending on the nature of their business. Identifying if data processing could pose risks for individuals, even when an organization may be fully compliant with applicable laws or regulations, can help the organizations with ethical decision-making in digital systems, products, and services design or deployment. This facilitates optimizing beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole, as well as avoiding losses of trust that damage organizations’ reputations, slow adoption, or cause abandonment of products and services.
Once the risks identified, organizations are set-up to develop strategies, policies and procedures to manage the risks, including:
- a privacy by design and by default consideration,
- transparency and communication,
- encouraging cross-organizational workforce collaboration among executives, legal, and information technology (IT), security, etc.
Privacy risk management policies and procedures need to weight in how achievement may be supported or hampered by the organization current risk management practices.
Privacy risk management can be a means of supporting accountability at all organizational levels as it connects senior executives, who can communicate the organization’s privacy values and risk tolerance, to those at the business manager level, who can collaborate on the development and implementation of governance policies and procedures that support organizational privacy values.
Once the privacy risk management strategy is developed the organizational governance structure needs to uphold and enable an ongoing understanding of the organization’s risk management priorities. Governance focuses on organizational-level activities such as establishing organizational privacy values and policies, identifying regulatory requirements and understanding organizational risk tolerance that enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Not least important is for organizations to develop and implement appropriate activities enabling individuals to have a reliable understanding and engage in a dialogue about how data are processed and the privacy risks associated with the type of processing. Both organizations and individuals may need to know how data are processed in order to manage privacy risk effectively. Organizational practices that support communication may include: determining privacy requirements, enacting privacy requirements through formal agreement (e.g., contracts), communicating how those privacy requirements will be verified and validated, verifying that privacy requirements are met through a variety of assessment methodologies and governing and managing the above activities.
Protecting the data closes the circle with the prevention of security related incidents which can affect or even paralyze a company’s activity or even hit at its very core strategic business. Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability whilst ensuring timely and reliable access to and use of information. While managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, as privacy risks can also arise by means unrelated to cybersecurity incidents.
The core of a privacy risk assessment and management is not a checklist of actions to perform. An organization selects its approach consistent with its risk strategy to protect individuals’ privacy. An organization may not need to achieve every outcome or activity included on a list of activities to cover. It is expected that an organization will identify, select and prioritize its risks management efforts to meet its specific needs by considering its goals, roles in the data processing ecosystem or industry sector, legal and regulatory requirements and industry best practices, risk management priorities, and the privacy needs of individuals who are directly or indirectly served or affected by an organization’s systems, products, or services.
Effective privacy risk management requires an organization to understand its mission or business environment, its legal environment, its risk tolerance, the privacy risks engendered by its systems, products, or services and its roles in the data processing ecosystem.