International: Determine and manage privacy risks
Following already long-standing development in the area of innovative technologies, the benefits of the digital economy are rooted in personal data collections and flows through a complex data ecosystem. Given the complexity of the digital products, systems, and services, individuals might find it hard to get their heads around the consequences that these innovative technologies and products can pose to their right to privacy and protection of their personal data. Likewise, organisations might not fully realise the extent of the consequences for individuals, society, and businesses. While some organisations might already have a robust privacy risk management, a common understanding of many aspects of this topic is still missing. Petruta Pirvan, IAPP Training Collaborator at Purpose and Means, discusses the management of privacy risks and what needs to be considered at different levels in a business.
An improper privacy risk management can impact organisations' brands (i.e., harm to reputation or internal culture), their bottom line, their turnover (i.e., non-compliance costs), and their future standing on the market (i.e., customer abandonment, investment opportunities). Organisations could properly define their privacy risks and manage the impact at the enterprise risk management level where privacy risks can be included in the broader portfolio of risks. This should help driving a more consistent resource allocation agenda for privacy to strengthen the privacy program.
The starting point for each organisation in defining a suitable privacy risk standing is to understand the core of their privacy activities and outcomes, business mission drivers, data processing ecosystems, types of data, data processing activities, and individuals' privacy needs. Privacy risk management is a cross-organisational set of processes that helps organisations to understand how their systems, products, and services may pose privacy concerns for individuals and how to develop effective solutions to manage such risks.
Privacy risk assessments typically focus on the data lifecycle, the stages of data processing activities, which are often characterised as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. In general, privacy risk assessments can help organisations to decide upon the proportionality between the benefits of their data processing activities and their risks, as well as to determine the appropriate response to such risks. An organisation can decide to mitigate the risk, to transfer the risk, to avoid or accept the risk, or to choose a combination between all such options.
Privacy risk assessments are particularly important because privacy is a complex concept that safeguards multiple values such as human autonomy and dignity, cultural diversity, and individual differences. In a commercial context, privacy is one of the engines that fuels customers' trust in the benefits of a product, including ethical treatment of personal data.
Deriving benefits from data while simultaneously managing risks to individuals' privacy is not a one-size-fits-all solution since organisations might have diverse privacy needs depending on the nature of their business.
Identifying if data processing could pose risks for individuals, even when an organisation may be fully compliant with applicable laws or regulations, can help the organisations with ethical decision-making in digital systems, products, and services design or deployment. This facilitates optimising beneficial uses of data while minimising adverse consequences for individuals' privacy and society as a whole, as well as avoiding losses of trust that damage organisations' reputations, slow adoption, or cause abandonment of products and services.
Once the risks are identified, organisations develop strategies, policies, and procedures to manage the risks, including:
- a Privacy by Design and by Default consideration;
- transparency and communication; and
- encouraging cross-organisational workforce collaboration among executives, legal, and IT and security, etc.
Privacy risk management policies and procedures need to weigh in on how achievement may be supported or hampered by the organisation's current risk management practices.
Privacy risk management can be a means of supporting accountability at all organisational levels as it connects senior executives, who can communicate the organisation's privacy values and risk tolerance to those at the business manager level, and who can collaborate on the development and implementation of governance policies and procedures that support organisational privacy values.
Once the privacy risk management strategy is developed, the organisational governance structure needs to uphold and enable an ongoing understanding of the organisation's risk management priorities. Governance focuses on organisational-level activities such as establishing organisational privacy values and policies, identifying regulatory requirements, and understanding organisational risk tolerance that enable an organisation to focus and prioritise its efforts, consistent with its risk management strategy and business needs.
Not least important is for organisations to develop and implement appropriate activities enabling individuals to have a reliable understanding and engage in a dialogue about how data is processed and the privacy risks associated with the types of processing. Both organisations and individuals may need to know how data is processed in order to manage privacy risk effectively. Organisational practices that support communication may include:
- determining privacy requirements;
- enacting privacy requirements through formal agreement (e.g., contracts);
- communicating how those privacy requirements will be verified and validated;
- verifying that privacy requirements are met through a variety of assessment methodologies; and
- governing and managing the above activities.
Protecting the data closes the circle with the prevention of security related incidents which can affect or even paralyse a company's activity or even hit at its very core strategic business. Data is managed consistent with the organisation's risk strategy to protect individuals' privacy and maintain data confidentiality, integrity, and availability whilst ensuring timely and reliable access to and use of information. While managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, as privacy risks can also arise by means unrelated to cybersecurity incidents.
The core of a privacy risk assessment and management is not a checklist of actions to perform. An organisation selects its approach consistent with its risk strategy to protect individuals' privacy. An organisation may not need to achieve every outcome or activity included on a list of activities to cover. It is expected that an organisation will identify, select, and prioritise its risks management efforts to meet its specific needs by considering its goals, roles in the data processing ecosystem or industry sector, legal and regulatory requirements and industry best practices, risk management priorities, and the privacy needs of individuals who are directly or indirectly served or affected by an organisation's systems, products, or services.
Effective privacy risk management requires an organisation to understand its mission or business environment, its legal environment, its risk tolerance, the privacy risks engendered by its systems, products, or services, and its roles in the data processing ecosystem.
Petruta Pirvan IAPP Training Collaborator
Purpose and Means, Copenhagen