Privacy & Information Security Law Blog

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a second white paper in its multi-year Privacy Risk Framework Project entitled The Role of Risk in Data Protection. This paper follows the earlier white paper from June 2014 entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice.

The Centre’s Privacy Risk Framework Project is a continuation of the Centre’s earlier work on organizational accountability, and focuses specifically on risk assessments as an essential element of accountability. The Centre’s project intends to develop a coherent methodology for identifying and evaluating privacy risks and their impact on individuals, as well as the benefits associated with an organization’s proposed data processing. The methodology also intends to help organizations devise appropriate mitigations and controls. By enabling organizations to link privacy controls and mitigations more specifically to the actual risk of harm and benefits through the risk-based approach, organizations will be able to more effectively apply legal principles and obligations in practice, thereby improving both their legal compliance as well as their general accountability beyond compliance.

The new white paper on The Role of Risk in Data Protection discusses how privacy risk assessments or risk management techniques are already incorporated into many existing legal and regulatory regimes, interpreted by privacy regulators, and put into practice by responsible organizations. It also stresses that the risk-based approach neither changes existing legal requirements nor negate individuals’ data protection rights. Instead, it facilitates effective compliance with them. Risk assessment is an essential element of organizational accountability and helps deliver the accountability on the ground.

The paper also discusses in detail some of the key considerations in risk assessment and management, including:

• its proper role in the context of privacy protection, both where there are existing data privacy laws and in absence of such laws;
• the interaction between core elements of risk assessments such as harms, benefits and individual rights and interests;
• the importance of determining both the likelihood and severity of harm associated with data processing;
• the nature of the harms or impacts that must be considered;
• the need for making risk assessment tools efficient, scalable and flexible; and
• applying risk assessments to the entire lifecycle of data processing, from collection to disposal.

Finally, the paper also points out a number of issues that will have to be explored in greater detail in the future, such as:

• a need to create consensus and a generally accepted “taxonomy” of relevant harms;
• specific risk management models and technical standards;
• integrating and aligning privacy risk assessment models with those used in other areas;
• further clarification of concepts and terminology;
• a better understanding of proportionality between risks, benefits and appropriate controls; and
• risk assessments as an “interoperability tool” by enabling compliance with divergent national and sectoral legal requirements.