In today’s uncertain environment, organizations are regularly confronting new and evolving risks. Data-related risks can stand alone or converge with other enterprise risks, such as third party risk, regulatory compliance risk - such as CCPA and GDPR, security risk, operational and financial risks.
Identifying, understanding, managing, and reporting on data risks across the organization is a critical part of an integrated data governance strategy and essential to enterprise risk management. Organizations that have continuous insights into their evolving risks are able to focus resources on the highest areas of risk and prioritize risk mitigation strategies and plans.
This webinar will review: risk management & privacy, 3rd party vendor risks in today’s climate, top considerations to focus resources on highest areas of risk, risk reporting to management and the board; and the tools & best practices to manage, automate and continuously monitor both company and third-party risk.
2. Thank you for joining the webinar Assessing Risk: How Organizations Can
Proactively Manage Company and Third-Party Risk
2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit
any questions for the speakers
3. Speakers
Hilary Wandall
SVP, Privacy Intelligence and General
Counsel
TrustArc
3
Paul Breitbarth
Director, EU Policy &
Strategy
TrustArc
Michael Lin
SVP, Products and
Engineering
TrustArc
4. Agenda
4
● Risk management and privacy
● Third party risks in today’s climate
● Focusing resources on highest areas of risk
● Risk reporting to management and the board
● Tools and best practices to manage, automate and continuously monitor both
company and third-party risk
5. Polling Question 1
What data-related risks are you most concerned about? (Select one)
● Compliance with new laws
● Enforcement of existing laws
● Third party controls and compliance
● Security controls
● New technologies
5
7. Risk Management and Privacy
7
Main Organizational Risks from a Privacy Perspective
● Data Security
○ Security and Data Breaches, followed by (often) mandatory notification requirements
○ Bring Your Own Device
○ Remote Working, Working from Home, Working on the Road
● Changing Legal Frameworks
○ Legislation is continuously changing, and even more so in recent years
● International Data Flows
○ Can data flow across borders without any restrictions
● Enforcement Action & Court Cases
○ Safe Harbour & Privacy Shield cases
○ Class Actions
○ Reputation
8. Risk Management and Privacy
8
Privacy Risks to Individuals - Data Processing Sensitivity
● Volume of data collected and shared
● Scope of individuals involved (e.g., global health study)
● Unnecessary data processing
● Unexpected secondary data uses
● Automated decision-making
● Algorithmic decision-making
● Profiling
● Monitoring and surveillance
● Vulnerable role (e.g., children)
● Disadvantaged group (e.g., member of a protected class)
● New technologies (e.g., contact tracing apps)
● Sensitive data (e.g., health information)
● Disclosures to third parties
● Limiting individual rights
Terminology Tip
Data Processing is a collective
set of data actions, such as data
collection, generation, storage,
retrieval, analysis, transformation,
alteration, combination, use,
transmission, disclosure, sharing,
alignment, disposal, deletion, or
destruction
11. 11
Legal and Regulatory Risks are Exploding
Category
North
America
Latin
America
EMEA
Asia
Pacific
Totals
Comprehensive Data Protection 1 4 2 7
GDPR Implementation 9 9
Information Security 9 1 3 13
Health Privacy 4 2 6
Financial Privacy 5 5
Education Privacy 3 3
Breach 11 1 12
Privacy Rights 3 1 1 5
Other 8 1 9 2 20
Totals for 2019 43 4 25 8 80
80 New Laws
in 2019
>600 Laws
Globally
More Complex
Rules
12. Risk Management and Privacy
12
GDPR Risk-based Approach (recitals 74-76)
Take into account:
● the nature, scope, context and purposes of a processing operation;
● the risk to the rights and freedoms of natural persons [not just privacy / data protection];
● possible physical, material or non-material damage; as well as
● the likelihood and severity of the risk
The fundamental principles of data protection law apply to all data controllers and processors, but how they
implement their compliance efforts, may depend on the assessment of risk.
As the WP29 put it: “Compliance should never be a box-ticking exercise, but should really be about ensuring
that personal data is sufficiently protected”. (WP218, 2014)
In order to assess risk, you will first need to understand your processing
operations. Managing risk therefore is supported by the creation and maintenance
of a data and processing activities inventory.
13. Risk Management and Privacy
13
Privacy & Data Protection Impact Assessments
are under many privacy and data protection laws
mandatory processes.
● A Privacy Impact Assessment (PIA) is an analysis of how
personally identifiable information is collected, used, shared,
and maintained.
(U.S. Federal Trade Commission)
● A PIA is a risk management process that helps institutions
ensure they meet legislative requirements and identify the
impacts their programs and activities will have on individuals’
privacy.
(Office of the Privacy Commissioner of Canada)
● A Data Protection Impact Assessment (DPIA) is an
assessment of the impact of the envisaged processing
operations on the protection of personal data in case of high
risk(s) to the rights and freedoms of individuals (GDPR)
14. Risk Management and Privacy
14
The EDPB considers that the more criteria are met by the processing, the more likely it is to
present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA.
As a rule of thumb, processing operations which meet at least two of these criteria will require a
DPIA.
1. Evaluation or scoring (including profiling)
2. Automated-decision making with legal or similar significant effect
3. Systematic monitoring
4. Use of sensitive data (as defined by Article 9 GDPR)
5. Data processed on a large scale (taking into account the number of data subjects concerned, the volume of data,
the duration of the processing and the geographical extent)
6. Datasets that have been matched or combined
7. Data concerning vulnerable data subjects
8. Innovative use or applying technological or organisational solutions
9. When the processing in itself “prevents data subjects from exercising a right or using a service or a
contract”
In addition to these generic criteria, there are national lists of processing operations requiring a DPIA in a
specific EU Member State.
16. NIST Privacy Framework 1.0 - An Enterprise Approach to Privacy Risk
16
Alignment of Privacy Risks with Cybersecurity Risks Throughout the Data Lifecycle
Images from the
NIST Privacy
Framework 1.0
Role of the Privacy Impact
Assessment
Source: NIST Privacy Framework 1.0 (2020)
NIST Privacy Framework Functions
● Identify - Data inventory and risk
assessments
● Govern - Strategy, policies,
processes, procedures, awareness,
training
● Control - Data processing
management
● Communicate - Internal and external
● Protect - Security, identity
management, access, authentication
● Detect - monitoring, anomalies, events
● Respond - analysis, mitigation
● Recover - recovery planning,
improvements, communications
17. Polling Question 2
How do you manage third party risks? (Select all that apply)
● Contracts, Data Processing Agreements, NDAs
● Vendor Assessments
● Security Risk Assessments
● Certifications and Audits
● Third Party Risk Tools
17
19. Third Party Risks in Today’s Climate
19
What business activities don’t involve third parties?
● Supply chains
● SaaS
● Advertising
● Data analytics
● Professional services
● Advisors
But how do you monitor and compare third party risks?
● Not all third parties are the same
- Roles: vendors, data processors, business associates, service providers, partners
- Data processing sensitivity (e.g.,
- Data sensitivity
- Geographic location
- Security posture
- Compliance maturity
- Privacy engineering practices
- Financial solvency
Image from the
NIST Privacy
Framework 1.0
20. Third Party Risks in Today’s Climate: COVID-19 WFH
20
Confidential Data Awareness
Remind employees about confidential data, including both personal data and business data, such as trade
secrets. Make sure documents are not downloaded unless necessary and minimize transmission. If
confidential data must be emailed or shared, use encryption.
No Document Printing
A home environment is not the best for paperwork. Restrict printing unless absolutely necessary.
Work & Personal Devices
Work devices, including phone and laptops, should not be shared with other people. Especially now, there are
likely other people in the house who may require distractions. If using a personal device, develop a checklist
for what should be in place on devices. Antimalware, encryption, password managers and VPN are some
basic tools.
Cleansing Data
Be prepared to have employees clear the data on their devices and stored in the cloud on a regular basis,
such as weekly. In all cases, have a plan for clearing data once standard work hours resume.
Source: TrustArc Top 10 Tips for Enabling (new) Remote Workers
21. Third Party Risks in Today’s Climate: Regulatory Changes
21
● Data usage
For what purposes can your service providers/processors use personal data collected by you? And how
to prevent deliberate or accidental misuse of the data?
○ e.g. use of telemetry data for product improvement - requires a separate legal basis, according to
EU DPAs
○ also includes cookies and other tracking technologies (e.g. CJEU Planet49 case)
● Cross-border data transfers, also when using service providers/processors
Local requirements and guidance are subject to continuous change and uncertainties
○ EU: ongoing discussion on validity Standard Contractual Clauses and Privacy Shield
○ Turkey: no approval on cross-border transfer mechanisms from Regulator (consent only)
○ Japan: PPC looking to strengthen cross-border transfer requirements and extraterritorial scope of
application of Japanese privacy laws
○ Canada: OPC considering moving away from consent for cross-border transfer requirements
● Video Conferencing
○ Ensuring policies, procedures and notices are up-to-date and covering all processing via VC apps
○ Complete security assessments: right tool for the right conversation
22. Polling Question 3
How does your organization prioritize risks? (Select one)
● Risk owners prioritize risks for which they are responsible
● Risks are prioritized by each functional area
● A cross-functional team oversees all risk priorities
● Have enterprise risk mgmt program for prioritizing risks
● We don’t have a process for risk prioritization
22
24. Focusing Resources on Highest Areas of Risk
24
ConsequencesRisk
Severity Likelihood
Sources:
CIPL - The role of risk management in data protection (2014)
Gellert - Understanding the notion of risk in the GDPR (ScienceDirect, 2018)
Balancing
Test
Risk
Factor
25. Focusing Resources on Highest Areas of Risk
25
1. Risks with a high severity and likelihood absolutely must be
avoided or reduced by implementing security measures that
reduce both their severity and their likelihood. Measures should
focus on prevention, protection and recovery.
2. Risks with a high severity but a low likelihood must be avoided or
reduced by implementing security measures that reduce either
their severity or their likelihood. Emphasis must be placed on
preventive measures.
3. Risks with a low severity but a high likelihood must be reduced by
implementing security measures that reduce their likelihood.
Emphasis must be placed on recovery measures.
4. Risks with a low severity and likelihood may be taken, especially
since the treatment of other risks should also lead to their
treatment.
Source: CNIL - Methodology for Privacy Risk Management (2012)
26. Polling Question 4
What risks does your organization report to your Board of Directors?
(Select all that apply)
● Anti-bribery and anti-corruption
● Cybersecurity
● Fraud
● Privacy
● Other / Unsure
26
28. Board of Directors Risk Oversight Critical to Organizational Strategy
28
“Nothing is more fundamental to business - or vexing to boards - than risk…” - NACD
Board role in risk governance - oversight of the organization’s risk management activities
Governance Risks
Decisions regarding board composition,
leadership, directors, executive
management (e.g., CEO)
Business Management Risks
Categories that present significant threats:
Reporting risks
Operational risks
Financial risks
Compliance risks
HR/Labor risks
Reputational risks
Board Approval Risks
Decisions regarding strategic initiatives,
such as M&A, material investments, entry
into new markets, new product lines
Critical Enterprise Risks
Top risks that affect the company’s
strategy, business model, or viability
Emerging Risks
Awareness of external risks such as
environmental, demographic shifts, and
catastrophic events
Source: Report of the NACD Blue Ribbon Commission. Risk Governance: Balancing Risk and Reward (2009)
29. Risk Reporting to Management and the Board
29
Annual Privacy Governance Report, 2019
30. Risk Reporting to Management and the Board
30
Accountability as part of a solution
● Demonstrable compliance will help to tell the story behind risk identification and
mitigation.
● Ongoing process allowing to have a structured review process.
● A Framework-based approach also allows for structured
and detailed management reporting.
32. Tools and Best Practices - Key Pillars of Third Party and Company Risk
Management
Assess Risk Associated with
Vendors, Company Entities
and other Third Parties
Assess
Identify and Prioritize
Potential Areas of Third
Party and Company Risk
Identify
Prioritize key remediation
tasks to ensure compliance
and risk mitigation
Remediate
Analyze and Prioritize risk
based on severity and
likelihood
Analyze
Ongoing and real time
monitoring of risk -
automated detection based
on changes or time
Ongoing Monitoring
33. Tools and Best Practices - Other Tools for Consideration
33
● Automation
○ Automated identification of possible risk
○ Prioritization of remediation tasks
○ Continuous Risk Monitoring
● Drive a holistic view of the vendor
○ Security ratings
○ Financial ratings
○ Other Risk related ratings
● Ease of Use
○ Vendor and Third Party Libraries
○ Streamlined user experience
● Managed Services and Consulting
○ Build your program
○ Help in running your program on an ongoing basis
35. Speakers
Hilary Wandall
SVP, Privacy Intelligence and General
Counsel
TrustArc
35
Paul Breitbarth
Director, EU Policy &
Strategy
TrustArc
Michael Lin
SVP, Products and
Engineering
TrustArc
36. Upcoming Webinars
36
Past Webinars
EMEA Quarterly Update: Two Years Later April 29, 2020 @ 10:00 EDT
Privacy Frameworks: The Foundation for
Every Privacy Program
Free Download