Privacy Risk Management: A Shield in the Age of Big Data

Additional resources

Privacy Risk Management

Concerns about privacy risk have triggered a number of new privacy protection regulations: The US State of California Consumer Privacy Act (CCPA) went into effect on 1 January 2020, the Brazilian General Data Protection Law (LGPD) becomes effective in August 2020...

New ISACA Report Spotlights Latest Privacy Trends

ISACA’s newly released State of Privacy 2026 report shows that practitioners still face a range of difficulties when it comes to staffing, compliance and more.

Privacy risk is the likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur.¹ Privacy risk includes but is not limited to technical measures that lack appropriate safeguards, social media attacks, mobile malware, third-party access, negligence resulting from improper configuration, outdated security software, social engineering, and lack of encryption. Privacy risk can exist throughout the data life cycle; thus, it is important to manage and govern data properly.

A number of privacy risk management activities can be undertaken during the data life cycle.² Designing a privacy risk management framework is the first step organizations should take to ensure data validation and data protection, to monitor and control data, and to comply with all applicable laws and regulations. Establishing a comprehensive privacy risk management framework not only safeguards sensitive information but also fosters trust among stakeholders, ensuring long-term success and sustainability in an increasingly data-driven world.

Creating and Implementing a Privacy Risk Management Framework

The COBIT^® 2019 framework³ can serve as a foundation to ensure effective enterprise governance of information and technology (EGIT). It can help an enterprise govern data, implement internal and external security, and determine the components needed from other frameworks. It is a useful tool for implementing a privacy risk management framework, particularly focusing on the four management domains mapped to 3 distinct stages (figure 1):

• Align, Plan and Organize (APO)
• Build, Acquire and Implement (BAI)
• Deliver, Service and Support (DSS)
• Monitor, Evaluate and Assess (MEA)

Figure 1—Mapping to COBIT

Stage 1: Establish Privacy Governance
The US National Institute of Standards and Technology’s (NIST) Privacy Framework is intended to assist organizations in communicating and organizing privacy risk and rationalizing privacy to build or evaluate a privacy governance program. The NIST Privacy Framework defines privacy governance as govern/develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. In this stage, the enterprise could do the tasks outlined in figure 2.

Figure 2—Stage 1: Establish Privacy Governance

Stage 2: Stage 1: Establish Privacy Governance
NIST also states that a privacy risk management framework is intended to help enterprises weigh the benefits of data processing against the risk of doing so and determine which risk response measures should be adopted. In this stage, enterprises could conduct the tasks listed in figure 3.

Figure 3—Stage 2: Conduct Privacy Risk Management Activities 

Stage 3—Implement Risk Response
Implementing the privacy risk response is the last stage of implementing a privacy risk management framework. In this phase, the enterprise shall establish response procedures for privacy risk, take appropriate responses to the identified privacy risk, and evaluate the privacy risk response. In this stage, the enterprise could do the tasks listed in figure 4.

Figure 4—Stage 3: Implement Risk Response 

In particular, enterprises should carry out incident response reviews or postincident evaluations after a security incident occurs. This includes reviewing configurations of personnel and resources and evaluating control approaches such as time and procedures.

Privacy Risk Management in Practice

Two real-life examples can serve as useful demonstrations of the proposed methodology in practice. The first example focuses on performing a qualitative risk assessment based on an existing methodology. The second deals with a frequent privacy issue—employee tracking and monitoring—and how to implement privacy risk management in this scenario.

Example 1: Data Breach Risk Assessment Using the ENISA Methodology
In this example, 2 types of HR-related data breaches have occurred:

• Case 1—A file available on a shared drive containing more than 500 employees’ names and dates of birth is accessed by nonauthorized employees.
• Case 2—An external contractor mails the monthly pay slips of eight employees to unauthorized recipients.

By applying the ENISA model,⁴ the severity of the personal data breaches can be assessed. For the first case:

• Data processing context (DPC)—The names and dates of birth are simple data, so DPC = 1.
• Ease of identification (EI)—Because both the full name and the date of birth may be disclosed to others, there are two identifiers that can single out the individual, so EI = 1 (maximum).
• Circumstances of the breach (CB)—The circumstance is loss of confidentiality. Nonauthorized employees can access the data, which means that the data can be disclosed to a number of known recipients, so CB = +0.25.

Therefore, Severity (SE) = 1x1 + 0.25 = 1.25.

For the second case:

• DPC—The information on the pay slips is financial data, in particular, the kind of data that comes from a bank and concerns the account balances of clients for the last month, so DPC = 3.
• EI—The combination of information on the pay slips, such as full name and Social Security number, makes it easy to identify the individual, so EI = 1 (maximum).
• CB—Although the circumstance is the same as in the first case, the personal data have been sent to unauthorized recipients, which increases the impact of the breach because of the unknown number of recipients, so CB = +0.5 (higher than in the first case).

Therefore, SE = 3x1 + 0.5 = 3.5.

By conducting this type of qualitative assessment, an enterprise can evaluate the severity of breaches, which can help it prioritize its resources and influence privacy-related decision making.

Example 2: Employee Tracking and Monitoring
Few data controllers are likely to collect more personal data about individuals than their employers. Employee tracking and monitoring tools can impose a high privacy risk in the workplace. These tools include but are not limited to:

• Bring your own device (BYOD)—Employees are permitted to use their own personal devices (e.g., smartphones, tablets) for communicating in the workplace. This results in data protection risk because, outside the workplace, employees’ mobile devices might be lost or misused; inside the workplace, the employer has access to personal data from employees’ personal devices.
• Data loss prevention (DLP)—DLP tools inevitably involve processing the personal data of employees and other third parties because they operate on networks and systems used by employees, such as the email exchange server, which can contain personal information even if employees are not allowed to use it for personal activities.
• Closed-circuit television (CCTV)—CCTV is used to monitor the workplace for security purposes.
• Email monitoring—During an internal investigation, the employer may review employees’ emails.
• Global Positioning System (GPS) tracking—GPS tracking devices may be installed in company cars.

Stage 1: Establish Privacy Governance
Before deciding whether to apply these monitoring tools, the enterprise should judge whether their use is based on data subject consent or legitimate interests. At the same time, the enterprise should establish appropriate policies (such as BYOD policies) and clearly explain to employees the purpose of collecting their personal data and the enterprise’s responsibilities when doing so. For example, when deciding to apply DLP tools, the enterprise should strengthen the protection of its IT infrastructure and confidential business information through internal and external strategies.

Stage 2: Conduct Privacy Risk Management Activities
The enterprise should conduct a data protection impact analysis (DPIA), legitimate interest assessment (LIA) or balancing test on employee monitoring activities to determine necessity, legitimacy, proportionality and transparency:

• Necessity—Whether monitoring is necessary to the processing purpose and meets data minimization requirements
• Legitimacy—Whether monitoring (e.g., large-scale video surveillance or the systematic monitoring of public areas) meets legitimate interests, such as protecting IT infrastructure and maintaining the safety of public areas
• Proportionality—Whether monitoring is proportionate to the issue the enterprise is encountering (e.g., remote control, facial recognition and voice recording may not be necessary)
• Transparency—Whether the existence and type of surveillance measures have been communicated to employees.

Stage 3: Implement Risk Response
Enterprises must be clear about where the processed data are stored and what measures must be taken to keep them secure. This includes:

• Ensuring that the transfer of data from employees’ personal devices to the enterprise’s servers is secure to avoid any interceptions.
• Considering how to manage personal data held on personal devices once an employee leaves the organization or if a device is stolen or lost. Mobile device management software can be used to locate devices and remove data on demand.
• Obtaining prior authorization when required. For instance, in most countries, enterprises installing CCTV should obtain advance certification from supervisory authorities, in accordance with local regulations.

After monitoring has been implemented, make the following determinations with regard to personal data: whether there is a legal basis for retaining data; whether the data are stored safely; whether the data retention period is defined; whether data subjects can exercise their rights, including the right to complain; whether the data will be anonymously processed or destroyed. These determinations will ensure compliance with data protection regulations and reinforce trust with data subjects.

Conclusion

Privacy is no longer simply a compliance issue. It is about managing consumer trust and safeguarding personal data during the data life cycle. Creating and implementing a privacy risk management framework is the critical step an enterprise should take to build trust and protect data.

Editor’s Note
This article is excerpted from an article that was published as an ISACA^® Journal article. Read Andrea Tang’s full Journal article, “Privacy Risk Management,” available online.

Endnotes

¹ RSA Conference 2020, “NIST Privacy Framework IRL: Use Cases From the Field”
² ISACA^®, Rethinking Data Governance and Management: A Practical Approach for Data-Driven Enterprise, USA, 2020
³ ISACA, COBIT^® 2019, USA, 2018
⁴ European Union Agency for Cybersecurity (ENISA), “ENISA Recommendations for a Methodology of the Assessment of Severity of Personal Data Breaches,” November 2013

Andrea Tang, CIPP/E, CIPM, FIP, ISO 27001 LA

Serves as the leader of the ISACA China WeChat group. She has been a guest speaker for the Hong Kong Baptist University School of Business, Master of Science (fintech and data analytics) program. Tang has published privacy-focused articles in the ISACA Journal and contributed to guidebooks released by the ISACA China Technical Committee.