Most organizations today recognize privacy and data protection concerns as significant risks. The massive data breaches and associated fallout in recent years make it clear that personal data is one of the fundamental assets all companies must protect. A privacy program relies on the same lines of defense as a good risk management program. The first line of defense (the business) must ensure personal data processing activities comply with data protection requirements. The second line of defense (security, risk, compliance) must set guidelines for the appropriate technical and organizational controls. The third line of defense (audit) must ensure the organization meets privacy and data protection compliance top to bottom.
Several key elements of both privacy and risk programs can be accelerated or strengthened when approached in an integrated fashion. For example:
- Issues will invariably be identified through activities such as Privacy Impact Assessments (PIA) as well as general risk and compliance activities. A key foundation for both programs is the ability to manage issues generated from risk and control assessments and audits.
- A framework is needed for establishing a scalable and flexible environment to document and manage your organization’s policies and procedures.
- The control universe, i.e. the organizational and technical controls, for both privacy and general risk and compliance should be systematically documented and tested.
- Third parties are a critical element in both general risk and privacy. The risks associated with relying on third parties who support critical business processes or process personal data are considerable.
Two major areas of overlap between Privacy and Risk Management are 1) Data Governance and 2) Privacy-related risk assessment processes.
Documenting Data Processing Activities as part of the data governance strategy provides key information for other risk and compliance activities. For example, prioritizing incidents or scoping audits can be improved when the data involved is factored into the level of risk. Knowing what business processes, applications, IT infrastructure or facilities are designated as part of a data processing activity immediately changes the associated risk profile. Having details on what information is processed as part of your security profile of a business application, for instance, turns a possible security alert into a possible data breach with wide ranging compliance implications.
Risk assessments for both privacy and general risk purposes should follow the same structure. The main participants in these processes are the first line of defense. Therefore consistency, ease of engagement and common workflow establishes a higher level of involvement and result in better insights. Whether it is folding privacy elements into existing processes, such as the Business Impact Analysis (BIA) performed for Business Continuity purposes, or establishing specific Data Protection Impact Assessments (DPIA), consideration should be taken into who is performing these assessments, how those assessments are executed and how issues or gaps identified during the assessment are consolidated and reported.
Privacy programs and Risk management programs are intimately linked. The value of understanding your data processing activities, as required by many privacy requirements, can be an incredible source of information for your broader risk management efforts. In addition, assessing risk, given the potential impacts of privacy issues, is a key element of protecting personal data for most organizations today. Finding commonalities in your processes and consolidating efforts can improve both programs.