Is this a privacy risk?

Privacy risk is fundamentally simple, it is the ‘potential risk of harm to the data subject’ period. This should be the focus on what is the output of a privacy risk assessment (PIA). How you want to organise this can be interesting.

IT risk may not be a privacy risk, although an IT risk could equate to a privacy risk. An IT risk may also present a risk to intellectual property (IP) and should have been managed following industry best practices such as the ISO 27001 gold standard in information security compliance. If I come across an IT risk when conducting a PIA, I hand over to the CISO, as this risk is a potential risk to other aspects of the organisation outside of privacy and GDPR compliance.

Now the output of a privacy risk assessment could surface directly to a corporate risk, e.g. brand damage, but so can a lot of other types of risks become a corporate risk, e.g. insider dealing, lack of financial transparency, etc. There can be other PIAs happening in parallel to what I’m doing, surfacing the same risks. If a corporate risk is found, I push up to the corporate risk team to manage at the helicopter view the accumulated risks.

What about a process risk? If there is no personal breach notification policy, or any incident management process, then ITIL/ITSM the industry best practice standard in IT Service Management is not being followed. This can become a privacy risk. This is super interesting because we then start to see how GDPR compliance can kick-in operational efficiencies that were previously lacking.

What I’m trying to say here, is that any risks that are surfaced when you’ve either had a gap, or a privacy risk assessment conducted is an opportunity to do what should have been done previously. Follow industry standards, get the rules in place, document, evidence and find yourself in a nice place when you can focus on personal data.

You don’t need GDPR experts to do all your work. They are after all in short supply and there are a lot out there selling ‘snake oil’. You can get the ITIL/ITSM experts in to fix your IT processes; for business processes, get in the black belt in Six Sigma; and for security the infosec guys.

Now privacy risk is a feed into GRC (governance, risk, compliance) dashboard. I had one DPO being requested to sit on the GRC steering group. What a relief when I explained that privacy risks were a feed into the risk register which feeds other organisational risks, e.g. IT risks, corp risks. As if the DPO doesn’t have enough on their plate!

Finally when focusing on what’s important to you when conducting a privacy risk assessment, I dovetail to the article start paragraph: privacy risk is all about the data subject, and what can potentially cause harm and is specific to the scope of your assignment. Everything else you can delegate or push up to the risk management team. It impacts the whole organisation, and you have enough on your plate without pulling that into the scope of your privacy program!

GDPR Paralysis?

Have you ever heard of the term ‘analysis paralysis’? Well GDPR paralysis is flavour of this, although not the same.

So far I’ve experienced the following distinct types of GDPR paralysis. What this means is that an organisation cannot move forward, either on their road to GDPR compliance, or their operations are just blocked to do anything due to the upcoming Regulation.

  1. ‘GDPR let’s wait a bit’ until we are sure we know exactly what the legal text will say. I saw this popping up as early as 2015, when the business called in the legal guys, who advised it was best to wait until the final version of the GDPR was agreed. However what was frustrating, at least for myself as a privacy consultant, is I could see so much that could be done even based on the draft 2012 version, e.g. Processors could pursue ISO27001 Information Security certification on their operations, controllers could have documented their business processes, to that personal data flows could be mapped onto later… etc.. I can see the same happening with the e-Privacy Regulation due to replace the e-Privacy Directive (lots to do with marketing here). It is not ready yet, but we have enough to start preparing.
  2. The ‘GDPR hot-potato’ – this I came across the first time in the 2016, and since then I’ve heard it happens a lot. The question of GDPR had landed at board level of a rather large B2C business and nobody wanted to own the budget. It took them 8 months finalise which department should own the GDPR project and of course during this time nothing happened.
  3. GDPR warfare – mainly in industry whereby personal data is their core product. I’ve come across this at least twice in a big way. It is the opposite of (1) in that there is a fight between legal and IT to own the GDPR budget. I’ve seen both situations whereby originally legal had the budget, but IT were better qualified as they had a legal guy as CISO and he understood both IT and the need of legal expertise. The second is where both IT and legal needed to work more tightly together, as each had strengths that were lacking in the other, hence neither could have owned the budget and executed effectively.
  4. Operational stop! is when nothing can move forward because your legal department inform you that it is not GDPR compliant. Unless you have a middle-man to mediate as concrete bullet-points to balance the commercial vs. the privacy and risks etc., you will end up with war between your marketing/sales and legal teams. It will probably end up with your head of Marketing having a mental melt-down, because they are not able to do marketing according to the GDPR + e-Privacy Regulation. Of course this is not the case, it just requires some new thinking. Inside of Privasee we’ve implemented a Change Advisory Board (CAB) to take this function. This is normal practice in larger organisations as part the IT Service Management (ITSM) process, but not seen as so necessary in smaller business such as ours until now.

Do you have any GDPR war stories to share?