Data Privacy Risk
Privacy Risk Drives Privacy Policies, Practices, and Controls
Data privacy risk measures the likelihood of misuse or unauthorized access of personal data. Under GDPR, both the controller and processor need to understand and minimize risk. Data protection impact assessments help organizations identify and quantify risks for remediation and disclosure to customers. Privacy impact assessments (PIAs) provide the same intelligence to organizations, revealing where and what privacy risks exist.
The National Institute of Standards and Technology (NIST) in the United States has developed a privacy risk framework.
What is a typical data privacy risk?
- Unauthorized use (beyond stated policy and user consents): Privacy regulations dictate that data should only be collected and used for specific business purposes and within consents granted by customers.
- Unauthorized access: Based on geographies and the need to know, organizations must tightly control access to personal data. For instance, customer service reps for a North American support group would not need to access the personal data of EU citizens.
- Unauthorized transfer: Regarding cross border transfers, organizations must have tight controls on where data is transferred both internally and externally.
- Deception: Organizations must be clear and transparent on how they will utilize personal information and provide clear and complete responses to DSARs and consent requests.
- Financial injury: In the case of data breaches or unauthorized disclosure, financial injury relates to the real or statutory damages that result from personal data disclosure to malicious sources. For GDPR, fines can amount to 4% of revenue and with CCPA statutory fines can be up to $7,500 in fines and $750 per instance in civil court.
- Reputational injury: Reputational damage is typically damage to a company’s brand that could cause the delay or cancellation of sales and services.
How can organizations measure privacy risk?
- Analysis by internal risk teams.
- Outside risk consultancies and services.
- Risk calculations of privacy and security software tools.
Here are additional resources to learn more about privacy risk:
- NIST, privacy risk framework
- UK Information Commissioner’s Office, Privacy impact assessments summary
- Wikipedia, privacy impact assessments
You just learned about Privacy Risk, now explore related terms like Privacy Impact Assessments, the NIST Privacy Framework, and Data Privacy Automation.