Risk Profile: Establish & Manage Business Risks
      Back to home
      1. Trustero Support
      2. Phase 1: Define Audit Scope & Risk Profile
      3. Risk Profile: Establish & Manage Business Risks

      Privacy Risk Management Overview and Guidance

      *This is a procedural-level supporting document to the Data Privacy Management Program Policy.

      Introduction

      The purpose of this document is to provide procedural guidance for managing privacy risks using the Trustero Risk Register. This document ensures consistent application and understanding of privacy risk management practices, including risk identification, evaluation, and treatment. It serves as a framework-agnostic guide for implementing privacy risk management processes. 

      *This is a procedural-level supporting document to the Data Privacy Management Program Policy, specifically addressing the Planning section steps:

      1. Performing privacy risk assessments to identify risks to data subjects and organizational compliance.
      2. Defining and documenting actions for treating risks.
      3. Determining and assigning control responsibility (e.g., outsourced, inherited, not applicable) and establishing a Statement of Applicability (SoA), as required by ISO 27701, to justify the inclusion or exclusion of necessary controls.

      Tip: To jumpstart the process of adding Privacy risks to your Trustero Risk Register, use our Privacy Risk Register Starter Pack. This resource aligns with your existing controls, making it easier to identify and mitigate associated risks effectively.

      Objective

      The primary objective of this document is to:

      1. Establish a clear and actionable procedural approach to privacy risk management, ensuring alignment with organizational and regulatory requirements.
      2. Provide a structured methodology for identifying privacy risks to data subjects and organizational compliance.
      3. Facilitate the development of actionable risk treatment plans to mitigate identified risks effectively.
      4. Facilitate determining and assigning control responsibility (e.g., outsourced, inherited, not applicable), also known as a Statement of Applicability (SoA) in ISO 27701, to document and justify the inclusion or exclusion of controls, ensuring transparency and alignment with organizational risk tolerance.
      5. Serve as a reference tool for internal stakeholders to manage privacy risks consistently and effectively.

      Designate a Risk Owner

      Most organizations have individuals with expertise in specific privacy-related areas. The Trustero Risk Register supports assigning risk owners for each privacy risk identified, ensuring clear accountability. To prepare for privacy audits or assessments, appoint a Privacy Risk Owner who has responsibility over all privacy risks. This person must have the seniority (or mandate) to address privacy risk issues organization-wide. They must be capable of prioritizing privacy risk analysis in different department meetings and driving discussions to completion with action items and timely resolution.

      Guidance Outline

      1. Privacy Risk Identification
          • Risk Title (Applicable Threats): Identify privacy-specific threats, such as unauthorized data access, lack of consent management, or improper data deletion.
          • Predisposing Condition / Vulnerability: Recognize weaknesses such as inadequate privacy policies, insufficient access controls, or poorly implemented data retention practices.
          • Asset at Risk: Pinpoint critical privacy-related assets, including Personally Identifiable Information (PII), data processing systems, or customer databases.
          • Impact to Data Subject: Assess how a privacy incident, such as a data breach, could affect the rights and freedoms of data subjects. Include potential impacts like identity theft, financial loss, or reputational damage.
      2. Privacy Risk Evaluation
          • Overall Inherent Risk: Evaluate the likelihood of privacy threats exploiting vulnerabilities before controls are in place. Include potential impacts such as regulatory fines, loss of customer trust, or legal action. Use the "Risk Scoring Calculation" outlined below.
      3. Privacy Risk Treatment
        • Risk Response: Determine an appropriate response based on the organization’s risk tolerance and potential impact on data subjects and business operations. For details on response options, refer to the “Privacy Risk Treatment Options” section.
        • Control Implementation: Apply controls, such as data access policies, consent management tools, or privacy-enhancing technologies, to reduce privacy risks to acceptable levels.
        • Residual Risk: Document and evaluate remaining risk after controls are applied.
        • Risk Acceptance: Mark risks as "Completed" in the Risk Register once management approves the risk response and corresponding actions.

      Information Privacy is a Moving Target

      Privacy risks evolve over time due to changes in technology, regulations, and business practices. Trustero recommends regularly reviewing and updating your Privacy Risk Register to reflect changes in the risk landscape and the organization’s privacy requirements.

      Inherent Privacy Risk Scoring Calculation

      Evaluating privacy risks involves assessing the likelihood of privacy incidents and their potential impacts. This ensures a structured approach to managing privacy risks and supports compliance with privacy frameworks such as GDPR or ISO 27701.

      1. Likelihood Assessment: Evaluate the probability of risks such as unauthorized data access or non-compliance with data subject rights.
      2. Impact Assessment: Assess the potential consequences for data subjects, including harm to their rights and freedoms, as well as the organization’s legal and reputational risks.
      3. Risk Level Determination: Combine likelihood and impact scores to determine overall risk levels. This informs decisions to accept, mitigate, transfer, or avoid risks.

      Privacy Risk Treatment Options

      1. Accept: Acknowledge the risk is tolerable without further action, typically due to low likelihood or minimal impact.
      2. Avoid: Change processes or systems to eliminate the risk entirely, such as ceasing certain data processing activities.
      3. Mitigate: Implement controls to reduce likelihood or impact, such as encryption or access restrictions.
      4. Share: Distribute risk through contracts or partnerships, ensuring shared responsibility for privacy compliance.
      5. Transfer: Shift the risk to another party, such as purchasing cyber insurance to cover privacy breach costs.

      Trustero Privacy Risk Assessment Scale

      1. Very High: Privacy risks with severe regulatory or reputational consequences.
      2. High: Risks with significant impact on data subjects or operational privacy obligations.
      3. Moderate: Risks with manageable impacts, but requiring immediate attention.
      4. Low: Risks with minimal likelihood or negligible consequences.
      5. Very Low: Risks unlikely to occur or cause harm.

      Likelihood and impact scores should align with your organization’s privacy risk tolerance, as defined in your privacy management program or equivalent documentation.