Organizations face new complexities, which increase the expectations of shareholders and regulatory bodies who want assurance and compliance to increase, even as the larger world grows more complicated. Actionable risk management is one way to address this tension by planning for a unified response to emerging events. What better time than now to start or review your data protection risk management program.
What is Data Protection Risk Management?
Data protection risk management focuses on processes to proactively assess data risks, vulnerabilities, and opportunities. These include security risks and mechanisms to minimize business and legal risk due to data breaches and data loss. It also includes effectively managing a comprehensive privacy program and potentially an AI governance program. The same broad strategies apply regardless of organization sector, size, or scope and for multiple types of data including personal data, sensitive data and business confidential data.
We can break risk management strategies into three general categories.
IDENTIFY:
What are the potential risks faced by your organization? How, when, where and why does your organization collect, use, share and otherwise process data?
EVALUATE:
What is the likelihood (i.e., the probability) that a risk will occur? This can be expressed in qualitative terms—as a percentage probability (e.g. 10% or high/medium/low) or as a frequency.
The other component of evaluation is to determine the potential impact (e.g., the extent) may a risk have on the organization? It's also crucial to categorize risks as financial (fines, litigation costs, loss of revenue), operational (inability to operate in a particular geo, business slowdown or shutdown) or reputational (loss of customer trust, negative publicity).
MANAGE:
Then consider ‘how might we’ avoid the potential risk? If avoidance is not a viable option, can you reduce the risk? There will likely be a variety of options to mitigate data risk including enterprise-wide data protections programs and governance, frameworks, controls and certifications, and more tactical strategies such as encryption, access controls, firewalls, and intrusion detection systems. Finally, you may consider transferring the risk to a third party equipped for the task such as through vendor contract terms or via insurance coverage.
Risk Management is Ongoing
Risk management takes multiple forms. It includes educating and training employees and stakeholders, maintaining a response plan for addressing risks, and performing regular audits to expose potential weaknesses and identify threats. It also requires an insistence on vendor compliance, careful documentation with regular updates in anticipation of potential compliance issues, and a straightforward process for reporting threats along a clear chain of command.
Investing in robust data protection governance and risk management comes with considerable rewards. Your organization will benefit from better resource allocation and prioritization of projects, a shared understanding of enterprise risks, and aligned decision-making frameworks.
There are other advantages such as more informed and in-depth risk analysis, a more consistent risk review process and potential to create a enterprise ‘risk register.’ This may also prompt discussions on the appropriate level of risk mitigation and a better understanding of risk tolerance, which will vary depending on company data processing activities, geographic scope and executive and Board oversight.
Why Now More Than Ever?
The proliferation and acceleration of AI tools, technologies and risks warrants a fresh look and perhaps a revamping of your data protection risk management approach. 2023 was a watershed year for AI regulation, executive orders, voluntary codes of conduct and much more is expected to come. Make it a New Year’s Resolution to re-examine your risk management programs. If you are a privacy professional, consider this a career development opportunity - privacy can lead the way on AI governance and risk management.
Risk Management Resources
Here are some links to useful resources. Those who invest in robust data protection and risk management models designed to adapt alongside new technologies will find value far outweighing the costs.
NIST - The National Institute of Standards and Technologies offers many data protection and risk management frameworks including one for privacy, cybersecurity and the newest one for AI.
Singapore AI Verify - An AI governance testing framework and software toolkit that validates the performance of AI systems against a set of internationally recognized principles through standardized tests. Recently, IMDA and the National Institute of Standards and Technology (NIST) completed a joint mapping exercise between IMDA's AI Verify and NIST's AI Risk Management Framework. The alignment aims to synthesize and harmonize international AI governance frameworks and reduce the cost of meeting multiple requirements.
IAPP AI Governance Center - Here you can find useful content and resources from the International Association of Privacy Professionals.
IAPP AI Governance Training and Certification This new curriculum provides an overview of AI technology, survey of current law, and strategies for risk management. I recently took the training and would recommend for privacy, security or AI professionals (legal, business, technical staff) involved with developing or supporting AI governance and risk management.