Information security and privacy are closely linked. And setting the right level of information security and privacy cannot be done without managing risks that can affect both organisations and individuals.
Information security and privacy risks
Information security risks relate to breaches of the confidentiality, integrity and availability of business processes or information. Organisations may use various methods and tools to manage these risks in order to identify risks, determine their severity, and prioritise information security measures.
Privacy risk assessment is often limited to the impact on the individual (data subject). These impacts are usually assessed as part of the so-called Data Protection Impact Assessment (DPIA) required by the GDPR Regulation, resp. Privacy Impact Assessment (PIA), which is described in the international standard ISO / IEC 29134. However, the DPIA / PIA implementation does not tell us anything about the possible consequences of violating the privacy of individuals for the organisation. We must also consider the possibility that the risks of personal data processing may be very low for data subjects but may be very high for controllers or processors. An example is a damage to reputation or failure to comply with legal obligations.
Requirements of ISO/IEC 27000 series standards
The requirement for privacy risk assessment is defined by the international standard ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to privacy information management. ISO/IEC 27701 states in article 5.4.1.2 that organisations must use a privacy risk assessment process to identify risks associated with the processing of personal data. ISO/IEC 27701 in normative Annex A, article A.7.2.5 also specifies that an organisation must assess the need for and, where appropriate, perform a privacy impact assessment (PIA) whenever new processing of personal data or changes to existing processing of personal data is planned.
Assessment of information security risks and privacy risks
The process of identifying information security and privacy risks may not be very different. We can use, for example, a high-level event-based risk assessment method in combination with a supporting asset-based risk assessment method. We can also determine the level of privacy risk in the same way as the combination of consequences and the probability of their occurrence.
The extent of the consequences of the breach affects, in particular, the purpose of the processing of personal data, the sensitivity of the personal data concerned, the nature of the event (what could happen), the extent of the event (how many data subjects could be affected), how long the breach could last (e.g. data unavailability) etc. The impacts/consequences of the dreaded event may manifest themselves differently. The consequences of information and privacy breaches can be similar for an organisation, such as financial, reputational, or failure to meet an organisation’s business goals. However, the consequences for data subjects are different, such as loss of dignity, discrimination, financial loss of individuals, damage to health or even death.
Several factors again influence the degree of likelihood of occurrence of impacts/consequences. The first is the resilience of the ecosystem in which personal data is processed. The resilience of the ecosystem is determined by the effectiveness of existing preventive, detective and reactive information security and privacy measures. The more effective the measures we have, the less likely it is that the source of the risk will exploit the weaknesses/vulnerabilities of the assets (supporting assets). The degree of likelihood of occurrence of consequences/impacts is also affected by the characteristics of the risk sources. Similarly, as the force of the wind increases the likelihood of severe damage (the article arises shortly after the tornado in Moravia), so the likelihood of severe consequences of breaches of information security and privacy with motivation (intentions) and abilities (equipment, knowledge) of cyberattackers increases.
The higher the consequences for the organisation or the impact on the individual, and the higher the likelihood of these consequences/impacts occurring, the higher the risk level.
Conclusion
The article addresses whether and, if so, how to integrate information security and privacy risk assessment processes with impacts on organisations and data subjects. A common approach to managing information security and privacy risks is appropriate. It can be recommended already for the effectiveness of assessing and addressing information security and privacy risks.