Privacy risk is fundamentally simple, it is the ‘potential risk of harm to the data subject’ period. This should be the focus on what is the output of a privacy risk assessment (PIA). How you want to organise this can be interesting.
IT risk may not be a privacy risk, although an IT risk could equate to a privacy risk. An IT risk may also present a risk to intellectual property (IP) and should have been managed following industry best practices such as the ISO 27001 gold standard in information security compliance. If I come across an IT risk when conducting a PIA, I hand over to the CISO, as this risk is a potential risk to other aspects of the organisation outside of privacy and GDPR compliance.
Now the output of a privacy risk assessment could surface directly to a corporate risk, e.g. brand damage, but so can a lot of other types of risks become a corporate risk, e.g. insider dealing, lack of financial transparency, etc. There can be other PIAs happening in parallel to what I’m doing, surfacing the same risks. If a corporate risk is found, I push up to the corporate risk team to manage at the helicopter view the accumulated risks.
What about a process risk? If there is no personal breach notification policy, or any incident management process, then ITIL/ITSM the industry best practice standard in IT Service Management is not being followed. This can become a privacy risk. This is super interesting because we then start to see how GDPR compliance can kick-in operational efficiencies that were previously lacking.
What I’m trying to say here, is that any risks that are surfaced when you’ve either had a gap, or a privacy risk assessment conducted is an opportunity to do what should have been done previously. Follow industry standards, get the rules in place, document, evidence and find yourself in a nice place when you can focus on personal data.
You don’t need GDPR experts to do all your work. They are after all in short supply and there are a lot out there selling ‘snake oil’. You can get the ITIL/ITSM experts in to fix your IT processes; for business processes, get in the black belt in Six Sigma; and for security the infosec guys.
Now privacy risk is a feed into GRC (governance, risk, compliance) dashboard. I had one DPO being requested to sit on the GRC steering group. What a relief when I explained that privacy risks were a feed into the risk register which feeds other organisational risks, e.g. IT risks, corp risks. As if the DPO doesn’t have enough on their plate!
Finally when focusing on what’s important to you when conducting a privacy risk assessment, I dovetail to the article start paragraph: privacy risk is all about the data subject, and what can potentially cause harm and is specific to the scope of your assignment. Everything else you can delegate or push up to the risk management team. It impacts the whole organisation, and you have enough on your plate without pulling that into the scope of your privacy program!