As part of the TrustArc Privacy Insight Series, TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall, TrustArc Director, EU Policy & Strategy, Paul Breitbarth, and TrustArc SVP, Products and Engineering, Michael Lin presented the webinar “Assessing Risk: How Organizations Can Proactively Manage Privacy Risk” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
As organizations begin to ramp up their privacy programs to encompass data processing and data management activities, risk management becomes an increasingly important topic. In this webinar, the panelists discussed:
Risk management relating to privacy for an organization and individual. Main organizational risks from a privacy perspective are; data security, changing legal frameworks, international data flows, and enforcement action and court cases. For individuals, privacy risks are centered on data processing sensitivity, such as the volume of data being processed and shared, the individuals involved in data processing, unnecessary data processing, unexpected secondary data uses, among other risks.
Third-party risks in today’s climate. With the global pandemic of COVID-19 that has forced many people to shelter in place, working from home is subjected to risk management. There is a need to understand risks from third-party technologies and third-party providers. How data privacy is maintained within a home environment such as how printed documents are handled, computer devices used while working, and data storage and clearing are additional third-party risks that need to be considered. Risk management has also ignited regulatory changes on data usage, cross-border data transfers, and video conferencing.
Focusing resources on highest areas of risk. There is an on-going balancing test between risk and consequences of that risk with severity and likelihood of that risk to occur. How to prioritize resources effectively is to identify the highest risk areas and tackle those immediately. Risks with high severity and high likelihood of occurring should be prioritized for prevention, protection and recovery measures.
Risk reporting to management and the board. Board of directors are responsible for risk oversight and governance, which is critical to organizational strategy. Key areas of risks for the board of directors are Governance Risks, Business Management Risks, Critical Enterprise Risks, Emerging Risks and Board Approval Risks. Specific privacy topics reported to the board of directors and management are data breaches, status of compliance with GDPR, privacy program key performance indicators, progress on privacy initiatives, privacy litigations, and more. Accountability is also important in risk reporting to demonstrate compliance, a structured review process, and detailed management reporting.
Tools and best practices to manage, automate and continuously monitor both company and third-party risk. Five key pillars in managing risks are Identify, Assess, Analyze, Remediate and Ongoing Monitoring. Other tools for consideration include being able to automate these processes wherever possible, drive a holistic view of the vendor, ease of use with a streamlined user experience, and managing services and consulting to build your program.
TrustArc Risk Profile empowers privacy leaders to identify high risk business activities, conduct the appropriate risk evaluation, and calculate the risk at the business activity level to understand risk across the organization. To learn more, click here.
Join us for the next webinar in the Privacy Insight Series: “EMEA Quarterly Update: Two Years Later” with TrustArc Director, EU Policy and Strategy, Paul Breitbarth, and TrustArc Senior Privacy Researcher, Jadene Young joined by Hunton Andrews Kurth LLP President, Centre for Information Policy Leadership, Bojana Bellamy on April 29th, 2020 at 7:00am PT. Register for the webinar here.