Controls & Conflict in DP Risk Assessments

In our last blog post we talked about brainstorming to identify risks, and how to measure the risk, when assessing data protection related policies and projects. Click here to read it. This time we’re looking at appropriate controls for the risks you’ve identified, and what to do if the project team has different ideas to the Data Protection lead.

Sign up to our mailing list so you don’t miss our latest blogs, by clicking here.

In a former life, I worked as a Health & Safety Officer in manufacturing, which gave me lots of experience in identifying physical risks and appropriate controls. You might think the controls needed to make metal sheet cutting safe for the machinery operator would be a million miles away from the controls needed for data-related risks, but that’s not the case. I actually lean towards what I learned in manufacturing when I’m assessing data risks and identifying controls.

In the last blog post I touched on some of the risks you might find related to handling personal data, and how you might measure their impact and likelihood to calculate a Risk score.

So what now? We have an idea of the risks and what level of risk is represented by the data processing – the policy, procedure or project. But how will we control the risks?

This is where I draw on my previous experience, in manufacturing. In Health & Safety there’s a concept called the Hierarchy of Controls, usually shown as an upside-down triangle. From most to least effective, the list goes:

  • Elimination – remove the hazard.
  • Substitution – use a less hazardous item, material, liquid, etc.
  • Engineering controls – keep people separated from the hazard.
  • Administrative controls – policies and procedures.
  • PPE – Personal protective equipment.

Granted, face masks and gloves aren’t likely to be much use in controlling data-related risks, but the others are certainly worth looking at.

And we’ve already considered them in part, when challenging the policy or project we’re assessing: “Do you actually need to ask this question or collect this data?” is an attempt to ‘eliminate’ at least part of the risk.

Another way to use elimination as a control is if you’re faced with risks from using a certain supplier, or having data stored on US-based servers. Ask if you can eliminate the need to use that supplier or those servers completely. If not, can you substitute (no. 2 in the list of controls) the supplier for a less troublesome company, or find storage in the UK?

If you can eliminate a hazard completely, that’s fantastic. But if you need to move down the list to substitution, keep going down the list (even if you can apply substitution to the risk) and consider if there are any “engineering” controls you could apply. An example would be locking data away securely, which applies to physical data storage or electronic data.

Next we look at “administrative” controls, which include policies and procedures – anything to do with people being required and instructed to work in a certain way. When you think about how many data breaches are due to human error, when someone hasn’t followed the instructions, and has emailed the wrong recipient without double-checking the address for example, you can see why this is so low down the list of effective controls. Procedures and instructions should support the other controls, not replace them.

Once you’ve identified a wish-list of controls, this is where the conflict might come in. It won’t always be popular or even appropriate to apply everything you’ve come up with from the brainstorming, for various reasons. So now it’s time to weigh up the money, time and other costs the suggested controls could involve, and compare this to two things:

  1. The risk score that the controls apply to;
  2. The risk appetite of the organisation.

Think about the risk you’re trying to control – is it a high enough risk to justify the controls if they are expensive or time consuming, especially if they will make little difference to the risk?

Also, it’s possible that the organisation is happy with some level of risk, and is resistant to the suggested controls.

What do you do if you’ve assessed the risks, suggested controls, and believe they are appropriate to the level of risk, but you get pushback from the project team or elsewhere in the organisation?

As a Data Protection Officer or DP lead, it’s important not to take it personally (I do see the irony) and focus on what you can influence. Be very clear about the risks and why you feel the controls are appropriate, and document this all very clearly. Ask if your colleagues can explain their resistance, and try to explain your thought process again.

Ideally, the Governance framework in your organisation will identify where, and at what level, the acceptance of risks, and overriding of the DPO’s advice can be signed off at. If it doesn’t, make sure there’s an audit trail of your concerns and responses from your colleagues. It might feel uncomfortable, but being practical, that’s all you can do if you consistently get pushback. And it’s all you’re required to do as a DPO under the GDPR – advise and monitor, not force people to do things!

Remember as well, it’s worth bouncing ideas off a fellow DP practitioner if you can, as they might be able to think of another solution to the conflict; being less close-up to the issue can help others see a bigger picture sometimes.

If you feel you’d benefit from a chat like that, I’m always happy to have a quick 15 minute call for free, just book into my calendar here:

In the next blog post we’ll look at how and when to monitor and report on controls, once they’ve been put into place. Sign up to the newsletter to receive an email when it’s published:

If you’ve missed our previous blogs on Data Protection Risk Assessments, find them here:

Did you know we have a YouTube channel too? Find video versions of the blogs by clicking here.