A full version of this article first appeared in Privacy Laws & Business.
How does your organisation manage data protection risks? Would you be able to confidently demonstrate accountability to the data protection regulators if you were required to do so? If you are not sure how to respond to this question, then you are not alone as many organisations are still struggling to demonstrate one of the most basic requirements of the General Data Protection Regulation 2016/679 (GDPR), the accountability principle.
In this article, we set out how organisations can use some of the core concepts of risk management to help demonstrate how they meet the accountability principle and manage data protection risks.
What is the accountability principle?
The accountability principle in Article 5(2) of the GDPR, requires that organisations not only comply with all the data protection principles, but also, that they are able to demonstrate compliance with them. In practice, this means organisations must implement technical and organisation measures (commonly known as “controls”) to demonstrate that the processing of personal data is undertaken in accordance with the GDPR. The consequences of non-compliance can be substantial, therefore effective data protection risk management is fundamental to an organisation’s accountability approach. As an important cornerstone of demonstrating accountability, organisations need to implement a structured way of identifying and managing their data protection risks on an on-going and forward-looking basis. This article sets out some practical steps that organisations can take to do this.
Data protection risk identification, the first step in managing data protection risks
What are your organisation’s key data protection risks? The first step in managing data protection risk is to identify what the data protection risks are and to add them to a data protection risk register. Risks are usually attached to corporate objectives or stakeholder expectations i.e. the risks of not meeting these. In the context of data protection risk, the starting point will be the data protection requirements that apply to your organisation and the risks of non-compliance with them, for example, the risk of personal data not being collected lawfully; the risk of a personal data breach occurring; the risk of failing to act on a data subject’s rights request; or the risk of unnecessary and prolonged processing of personal data etc.
The difference between identifying a “risk” versus an “issue”
From a risk management perspective, it is important to understand the difference between a risk and an issue.
A risk is an uncertainty, a chance or possibility of something happening. In the context of data protection risk, there will be an adverse consequence associated with the data protection risk materialising, for example, reputational damage or a regulatory investigation or fine. A risk is something that might happen but that has not actually occurred, whereas an issue is a known problem that needs fixing, for example, a weak or missing control or an internally known instance of non-compliance. It is helpful to understand the difference between a risk and an issue because your data protection risks will always be there unless you stop processing personal data or significantly change the nature of the products and services you offer, which is very unlikely if you want to stay in business. A risk may worsen or improve depending on both external and internal factors and how well it is controlled for, but it won’t go away altogether, because there will always be a risk of doing business that involves the processing of personal data.
Unlike a risk, an issue can be fixed so that it is no longer a problem for the organisation. An issue is often a risk driver, meaning its existence may increase the likelihood of a risk materialising. The more issues you have associated to a particular risk, the greater the level of risk exposure. Therefore, it is important to manage both your data protection risks and issues.
To further illustrate the difference, an example could be “the risk of unnecessary and prolonged processing of personal data, due to lack of a data retention policy and procedures”. The data protection risk to the organisation is having “unnecessary and prolonged processing of personal data” and the issue is the “lack of a data retention policy and procedures”. Once the organisation has implemented a data retention policy and procedure (and actually follows this), the issue will be fixed but the data protection risk will still exist. However, the risk position will be improved once the policy and procedures are in place. Known issues should, therefore, be logged, prioritised and tracked to completion. The creation and maintenance of an ‘issues log’ that shows the organisation’s ‘known data protection issues’ are being identified, raised and managed will help you to demonstrate a well-managed risk-aware culture.
Data protection risk and control assessment
Once the key data protection risks to the organisation have been identified, the next step is to assess the data protection risks and their control environment to determine the level of risk exposure. Techniques for rating risks in terms of potential impact and likelihood are well established, but the organisation will need to determine impact definitions that are appropriate to them and how they operate, because a significant impact for one organisation from a data protection point of view may be very different to another organisation.
Inherent risks and residual risks; what is the difference?
The organisation will also need to decide whether the data protection risk is going to be assessed at an inherent risk level as well as the current (residual) level. Inherent risk is assessed in the absence of consideration of any of the controls that are currently in place within the organisation. Controls are all the technical and organisational measures the organisation puts in place to manage the data protection risk and ensure ongoing compliance. Examples of controls an organisation may put in place to manage data protection risks include the appointment of a data protection officer, internal audit processes, third party due diligence and monitoring processes, data protection training, information security measures, data protection policies and procedures and other documentation specifically required under the GDPR, for example data protection impact assessments, legitimate interest assessments and privacy notices.
For each data protection risk on the risk register, the key controls that have been put in place to manage it should be listed and the effectiveness of those controlled rated, typically as either effective (considered to be adequate in effectively reducing the level of risk), partially effective (where the control provides some level of risk mitigation) or ineffective (where there is a known control gap, or the control does not provide any of the intended level of risk mitigation). A partially effective or ineffective key control is an issue and will need a remediation plan putting in place to fix it. For example, an internal privacy notice will be a key control for “the risk of personal data not being collected lawfully”. If the privacy notice is out of date, it may be ineffective in controlling for this data protection risk as it may not reflect the data processing being undertaken and will, therefore, need to be updated to prevent the data protection risk from materialising.
It is best practice to assess both inherent and residual levels of data protection risk. This is because two different data protection risks that have the same residual risk rating, may have significantly different inherent risk ratings. The benefit of assessing both inherent and residual levels of data protection risk is that the difference between the two ratings shows how much reliance is being placed on the controls. For example, an organisation’s inherent risk of a personal data breach occurring in the absence of any controls may be a ‘high’ risk, however, the strong information and physical security controls the organisation has put in place to manage this risk means that the residual risk rating is reduced to ‘minor’. Even when this risk of a personal data breach occurring is reduced to an acceptable, minor residual risk rating, it will always remain on the risk register. This is so that the effectiveness of those controls in reducing the risk can be monitored on an ongoing basis and action taken if a key control fails.
The data protection risk and control assessment process is important, however
it is only useful if it is undertaken on a regular basis and if the conclusions
drawn from it can be used to inform decision making, such as whether a weak control
is worth investing in or to inform the level of priority that should be placed
upon fixing known issues.
Responding to risk – will you mitigate or accept the data protection risk?
Maintaining a simple data protection risk register of key data protection risks and controls demonstrates that an organisation is aware of its inherent risks and articulates how it has implemented the technical and organisational measures needed to effectively control the risk of non-compliance. It also demonstrates that the organisation has visibility of its biggest data protection risks and that where risk is not currently being managed to an acceptable level, management is taking action to address the weak control environment.
Alternatively, an organisation may choose to accept the level of risk, rather than further mitigate it. This could be because they believe that the cost of strengthening the control environment outweighs the potential impact of the risk materialising. It is important to note that “risk acceptance” is not advisable where the organisation is blatantly not complying with data protection legislation and we would caution organisations against taking a cavalier attitude to risk acceptance. This is something which will not be looked upon favourably by data protection regulators in the event of non-compliance with data protection legislation.
In addition to this risk response process, another advantage of maintaining a data protection risk register is that it can be used to drive ownership of data protection risk decisions and provide an audit trail for risk acceptance and mitigation activities. This is all accountability in practice!
Data protection risk reporting
Finally, it is recommended that organisations produce regular data protection reports to summarise the current data protection risks and compliance position to the board and management teams. It goes without saying that the data protection report is only as good as the information that you have available, therefore preparing a meaningful data protection report can prove tricky unless you have a structured approach to identifying and managing your data protection risks and compliance controls.
Implementing a risk management process as described above, should enable organisations to produce a simple but informative data protection dashboard that shows the biggest data protection risks facing the organisation and how well they are being managed to drive down risk exposure. A good data protection risk report will also be forward-looking and include consideration and commentary on any internal or external risk drivers that may impact the organisations’ future data protection risk profile (for example internal projects or external changes to the regulatory environment).
At HelloDPO we have been working with clients to assist with identifying data protection risks, creating risk reporting documents and related risk management tools. There is no one size fits all solution but using appropriate risk management tools can make a huge difference to your ability to demonstrate accountability, so if you are not doing so already, we recommend implementing a robust data protection risk framework into your accountability programme.