Understanding Modern Risk: Why Organisations are turning to Privacy Risk Assessments
Perhaps the most important topic of today is the debate around issues of privacy. It’s extensive, complex and often controversial – and it’s a theme that we have returned to time and time again from different perspectives – whether that’s ethics, business impact of personal data protection or tips on how to stay safe online.
The discussion shows no sign of abating and, as consumers become increasingly aware of their digital rights, organisations are now increasingly motivated to ensure that data privacy concerns are treated with the utmost care.
A Long History in Data Protection
First of all, it’s important to understand that when it comes to valuable data, organizations have always been ready to take special measures. In the early days of the internet, we already had Information Security Risk Assessment that considered internet or “cyberspace” as just another part of the attack vector analysis. However, but as IT became more cyber-connected and internet-dependant, the process quickly evolved into what we now term as a Cyber Risk Assessment (CRA). Aiming to protect an ever-widening attack ‘surface’, a CRA is far more dynamic and responsive, changing according to whatever new threats appear. The level of risk monitoring has also increased, with CRAs being run frequently to contend with the latest attack vectors.
In parallel, organisations that control or process personal data are under increasing pressure to ensure and prove that data privacy concerns are being treated seriously. Although there is not yet any standardized and common practice, we are seeing a rapid rise in the use of Privacy Risk Assessments (PRA) that should rely on the repeatable and measurable methodology.
It’s important to note that PRA is not a replacement for CRA, but adds new considerations for businesses looking to control or process potentially sensitive data. Indeed, both methodologies have several marked areas of differentiation. First of all, PRA should always be conducted ahead of any control or processing activity, in order to evaluate if personal data, or parts of it, are actually needed for a particular activity or purpose. In addition, the impact on individuals, rather than business, should be central to PRA. This is particularly challenging, since the data control or processing organisation is likely to be dealing with data of many different individuals. In contrast CRA is a more reactive, cause-event-impact, type of process that could run continuously or be repeated frequently within a wider cyber risk management framework that also includes communication and monitoring.
Challenges of PRA
While cyber security breach impact is likely to be defined with relative, the impact of a privacy breach is much more difficult to quantify. We would find near unanimous agreement that the leaking of private medical records would be a significant breach of privacy, but there are numerous shades of grey in the debate: how much of an issue would it be if details of your Netflix viewing habits were made public? Or your email address is shared in the public domain as a customer of a particular internet service provider? While some may consider any incident to be unacceptable, others are more tolerant. This raises questions over the severity of punishment for a breach; is it right to punish the loss of medical data in the same way as the loss of movie viewing data? How can regulators legislate for different shades of privacy breaches?
Although PRA are not yet widely used, we are on the precipice of seeing these methodologies becoming truly main stream. With General Data Protection Regulation aiming to be adopted in 2016 and enforced from 2018, the importance of specific forms of PRAs, known as a Data Protection Impact Assessment (DPIA), cannot be understated. From the policy maker perspective, every organisation would have to conduct a "risk assessment" of their intended personal data control or processing activities and if the assessment identifies it as "likely to present specific privacy risks", a more in-depth DPIA should be conducted. From the business perspective, there are some common steps between the two methodologies, so we are likely to see more integrated, standardised and common risk assessment approaches in the future.
To find out more about how General Data Protection Regulation will impact privacy practices in organizations,take a look at our previous posts on GDPR here on Ascent.