Privacy risk is the likelihood that someone will experience problems resulting from data processing and the impact of these problems should they occur.
What is the impact of privacy risk? Numerous new privacy laws and regulations have gone into effect in the last couple of years: the EU General Data Protection Regulation (GDPR) went into effect 25 May 2018, the law amending the Act on the Protection of Personal Information (APPI) in Japan was enacted 5 June 2020, the amended California Consumer Privacy Act (CCPA) in the United States went into effect 1 July 2020 and the Brazilian General Data Protection Law (LGPD) in Brazil is the latest to come onto the landscape.
In China, the Standing Committee of the National People’s Congress plans to draft and issue the consolidated Personal Information Protection Law and the Data Security Law in 2020.
This increasing legislation trend prompts more organizations to focus on managing privacy risk to earn consumer trust and build reputation.
What Is the Best Way to Manage Privacy Risk?
|
Privacy Risk Management Steps |
|
|
Stage 1: Establish privacy governance |
Stage 1-1: Define privacy governance goals |
|
Stage 1-2: Establish an enterprise privacy risk management framework |
|
|
Stage 1-3: Realize the benefits of privacy risk management |
|
|
Stage 2: Conduct privacy risk management activities |
Stage 2-1: Define privacy risk assessment frameworks |
|
Stage 2-2: Conduct privacy risk assessments |
|
|
Stage 3: Implement risk response |
Stage 3-1: Establish response procedures for privacy risk |
|
Stage 3-2: Respond to privacy risk |
|
|
Stage 3-3: Evaluate privacy risk response |
|
There are three stages to manage privacy risk:
- Stage 1: Establish privacy governance—Enterprises should define privacy governance goals and then establish their own privacy management framework. A mature privacy risk management framework can help weigh the benefits of data processing against the risk of doing so and determine which risk response measures should be adopted.
- Stage 2: Conduct privacy risk management activities—Enterprises should conduct privacy risk-related activities such as data protection impact assessment (DPIA), privacy impact assessment (PIA) and vendor risk assessment. Enterprises should conduct the appropriate activities when necessary.
- Stage 3: Implement risk response—Enterprises should establish suitable response procedures and select appropriate ones. Ongoing evaluation promotes evolving effective privacy risk management.
What Is the Practical Guidance for Chinese Enterprises?
Since the enactment of the Cybersecurity Law of the People’s Republic of China, a series of national standards and supporting recommended guidelines have been published. There are four steps Chinese enterprises should follow:
- Step 1: Determine scope of privacy legislations. A chapter has been added to the civil code to address general principles related to the right to privacy and protection of personal information; the long-awaited update to the national standard on personal information protection has been released: Information Security Technology-Personal Information Security Specification GB/T 35273-2020 (short for “the 2020 Specification”). There are also some sector-specific regulations on personal data protection (e.g., Personal Financial Information Protection Technical Specification JR/T 0171-2020 [short for “Financial Information Specification”]), Measures of the People's Bank of China for the Protection of the Rights and Interests of Financial Consumers (short for “Financial Consumers Protection Measures”), Financial Mobile Application Software Security Management Specification JR/T 0092-2019, etc.
- Step 2: Conduct personal information security impact assessment.
| Personal Information Security Impact Assessment in China | |
|
Subject |
Personal information controller in China |
|
Target |
|
|
Content |
|
|
Steps |
|
- Step 3: Implement risk response. The addition of the requirement of third-party access management to the 2020 Specification is one example of an approach to transferring risk. Enterprises should also share risk with customers (e.g., additional processing should only be performed after collecting the explicit consent of the personal information subject).
- Step 4: Conduct ongoing risk evaluation. Financial consumers’ protection measures require that financial institutions check the potential risk of personal financial information security at least once every 6 months; the 2020 Specification regulates that Chinese enterprises audit the effectiveness of personal information protection policies, relevant procedures and security measures; prevent unauthorized reading, altering or deleting of audit records; safeguard audit records and ensure their retention period meets the applicable regulatory requirements
Privacy is not just a compliance issue anymore. It is about managing consumer trust and safeguarding personal data during the data life cycle. Implementing privacy risk management is a critical step to providing the foundation for effective privacy management.
Editor’s note: For further insights on this topic, read Andrea Tang’s recent Journal article, “Privacy Risk Management,” ISACA Journal, volume 4, 2020.