Over the past month in our blog posts, we’ve talked about the risks linked to personal data, and its use (or misuse): how and when to identify and assess the risks, how to control them, and monitor them, and the all-important steps to take when your colleagues have different ideas about the risks! Today we’ll have a quick reminder of all the steps involved in assessing risks. We’ll refer to it as an overview of how to carry out a DPIA or data-related risk assessment, but the steps apply to all types of business risks.
WHAT? – Have a think about what specific categories of data you’re planning to use.
WHY? – Challenge each of those categories of data – do you really need to collect or use it? Or is it a nice-to-have? Consider the goal and purpose of the work being undertaken.
TRANSPARENCY – Is the way you plan to use personal data transparent?
BRAINSTORMING – This is the fun bit – brainstorming all the ways things could go wrong!
RISK MATRIX – All the things that get brought up in the brainstorming process are your main risks, now you need to score them. Most medium to large organisations will probably already have a risk assessment matrix to use, but if not, it can be as simple as: 3 levels of impact x 3 levels of likelihood of the risk occurring = risk scores from 1 to 9.
CONTROLS – Deciding on appropriate ways to control the risks you’ve identified is where you might come up against some conflicting ideas from colleagues.
MONITOR – It’s not quite over yet I’m afraid! If the risk is an ongoing thing, you need to keep an eye on those controls to be assured that they’re doing their job, and keeping the risk from happening.
After this quick canter through the various steps, further detail on each step can be found in the earlier blog posts:
Privacy by Design – embedding data protection like raisins in scones
Where and when to consider data protection risks – in projects and policies
How to carry out a DPIA / Risk Assessment
Controls and conflicts in DPIAs and risk assessments
How to monitor risks and controls
We’ve also got a YouTube channel with short bite-sized video versions of the blog posts: Click here to see our videos.
And coming soon, at 11am on Thursday 15th July, we’re presenting a FREE webinar on sending emails to customers and potential customers lawfully, without falling foul of the PECR regulations.
If you’ve got any burning questions or are just not sure how to tackle a risk assessment in your organisation, then I’d be more than happy to have a FREE 15 minute call with you to point you in the right direction – just click here to book a call.