[author: Derek Glausser]
Getting buy-in for privacy resources at your organization and managing your company’s risk profile may seem like two separate–and overwhelming–tasks. But in fact, they are intertwined, and one can support the other. The key is privacy risk quantification. By quantifying privacy risk, you can show how privacy risk relates to other risks in the organization. And by quantifying it in a way that’s easier for stakeholders to understand, you can better communicate the urgency of investing in a comprehensive program and mitigating privacy risk.
What Is Privacy Risk Quantification?
At its simplest, privacy risk quantification helps privacy pros understand the magnitude of a risk’s impact on people, the privacy program, and the overall business. Privacy risk can be understood as the likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur. Privacy risk quantification methodologies often also calculate the amount of damage that would happen to their organization if a risk were to occur.
Essentially, a privacy risk quantification would calculate the amount of harm that would happen to a person whose personal information (PI) is being processed if this risk were to occur, and their consequences on the business. The calculation would use preselected categories with corresponding severities to create a risk classification that is directly comparable to other risks that have undergone the same methodology. Without a consistent methodology the risk quantification process would hinder the team’s ability to prioritize identified privacy risks due to the diminished comparability.
Why Should Your Team Do It?
Robust privacy assessments are not just a best practice: They are required for most the state privacy laws in the United States.
Privacy teams use risk quantification to create clear comparisons between the severity of privacy risks. These comparisons are vital in deciding which risk should be treated first, and how quickly. Without a process to easily order privacy risks, the risk treatment process could inefficiently address significant risks, thereby increasing their probability of being realized.
These comparisons also provide a digestible output for people not well versed in data privacy risk management. They act as an essential resource for stakeholders when building buy-in for risk treatment plans.
How to Begin Privacy Risk Quantification
For context, risk quantification is a subdomain of a larger process known as a privacy impact assessment (PIA). Privacy risk quantification starts when a PIA uncovers a new risk and has compiled all the necessary information needed to categorize the unique characteristics of this privacy risk.
To embark on a privacy risk quantification exercise, you’ll need a methodology. There are a few ways to develop a plan.
The easiest way to develop a methodology is to borrow what’s already in place at your organization. Check with your cybersecurity team to see if they have an internally developed cyber risk methodology, or an externally developed methodology of choice. You can use it as a blueprint but keep in mind: Cyber risk and privacy risk are closely associated but are not the same thing. To tailor a cyber risk plan for privacy, you’ll need to add in calculations that account for the potential harm to individuals who have Personally Identifiable Information (PII) being processed.
If there isn’t a clear guideline you can borrow from, you can also build your own methodology from scratch.
How to build your own privacy risk quantification plan
To build a plan, you’ll need to lay out steps to conduct a privacy impact assessment. Here is a checklist of the steps you’ll want to include in your PIA.
Step 1: Define Your Scope
Clearly outline the project or process being assessed. Identify the types of PI at risk of being affected and determine the boundaries of the assessment. For example, a Human Resources department looking for a new HRIS would set the scope of the assessment as all PII processing that will occur with this new solution.
Step 2: Identify and Document Data Flows
Map out how PI moves through your organization. Understand entry points, storage locations, and transmission methods. If you are looking to mature your current process, Osano’s Data Mapping software connects to your Single Sign-On (SSO) provider to automatically discover the systems your organization uses to process PI. When your data stores live outside of your SSO ecosystem, semi-automated assessment workflows help ensure privacy professionals and data store owners stay on the same page.
Step 3: Clarify Data Accuracy and Usage
Understand the ways data is processed, your existing security measures, and potential privacy risks. Take inventory of the people, vendors, or tools that access data and how they can compromise risk mitigation.
Step 4: Assess Privacy Risks
Conduct an analysis of your data flow, considering factors such as data sensitivity, purpose, and potential vulnerabilities in your systems. Evaluate the likelihood of these factors exposing consumers to privacy risks and understand the potential consequences.
Risk Quantification Frameworks
A few risk quantification frameworks already exist, and you can use them to guide your work. Two of the most common are:
NIST Privacy Risk Assessment Methodology (PRAM)
PRAM is a great resource that is free to use. The PRAM tool is a methodology to analyze, assess, and prioritize privacy risks to efficiently mitigate them. PRAM uses the risk model from NIST Internal Report 8062 (NISTIR 8062).
NISTIR 8062 is an Introduction to Privacy Engineering and Risk Management in Federal Systems (Section 3 is most applicable to this article). While directed at federal systems, the guidance and principles are largely agnostic of organizational type. It’s a great resource for any privacy program. The NISTIR 8062 can be seen as a contextual document to better understand the step-by-step walkthrough offered by the PRAM GitHub Resource.
FAIR Privacy Framework
For a more quantitatively driven framework, the FAIR Privacy framework is a great free resource. This quantitative privacy risk framework is based on Factors Analysis in Information Risk (FAIR). Factor Analysis of Information Risk (FAIR™) is an international standard quantitative model for information security and operational risk. The original FAIR provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms. The FAIR Privacy framework adjusts this model to analyze risks to users, and not just to the organization.
NIST's Scenario-based Framework
In addition to the PRAM tool, NIST provides a scenario-based framework via GitHub, here. An additional resource to familiarize yourself with this framework can be found in the "Quantitative Privacy Risk" presentation from the 2021 International Workshop on Privacy Engineering. While the final outputs will be prescriptive and communicable, the major drawback is its steep learning curve. This type of methodology would best suit a larger organization that has the capacity to do these intricate metric calculations.
You’ve Quantified the risks. Now What?
Once you have identified and quantified privacy risks, it's time to operationalize privacy risk management. Here's how:
Adopt a Privacy Risk Management Framework
Once your team completes your assessments, the results should feed into a formal privacy risk management framework. This often takes the form of a privacy risk registry spreadsheet. Connect with your cybersecurity team to determine if keeping privacy risks separate from cyber risks is the best course of action, or if they should be combined into a single source of truth. (Whether or not to combine information is largely based on organizational preference.)
The assessment and registry should be managed by a formal framework, there are a few commonly used risk management frameworks. The NIST Privacy Framework is free-to-use resource that seeks to provide a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It is adaptable to any organization’s role(s) in the data processing ecosystem. The NIST framework can be used to help identify and prioritize actions for reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk.
Implement Risk Mitigation Strategies
As part of your risk-management framework, focus on developing privacy-enhancing measures to minimize identified risks. These measures may include minimizing data collection, defining retention periods, minimizing use of sensitive PI, and only transferring data externally when absolutely necessary.
Document Final Outcomes
As part of your process, it’s critical to compile a detailed report to summarize the PIA’s findings. Clearly communicate any residual risks and steps taken to address them. This documentation should serve as an ongoing reference point for compliance. The cadence of review is dependent on the severity of risk, organizational preference, and specific framework requirements.
Review and Update Your Assessments Regularly
The privacy landscape will continue to evolve, and so should your assessments. Regularly review and update your PIA to stay current with the latest processes and ensure ongoing compliance with the latest privacy laws. Check out our article, What Is a Privacy Impact Assessment (PIA) & How to Conduct One, for more information on how to create and update assessments.
Choose a Reliable Partner for Assessments and Other Privacy Operations
Whether you’re planning on conducting your first or fiftieth PIA, remember that you don’t have to navigate the complexities on your own. A comprehensive data privacy solution can support your organization in protecting PI and streamlining compliance efforts. The right solution should help you:
