In the age of enterprise social networks and cloud-based collaboration platforms, almost every employee is a content contributor. And while this helps provide new insights and perspectives throughout your business, the influx of content brings about new risks.
As a result, legal systems worldwide are clamping down and demanding greater compliance — particularly on IT systems — making it essential for organizations to implement compliance and risk management protocols.
So how do we balance the business benefit of the free flow of information with the risk of inappropriate access and/or disclosure?
Many methods of assessment are available – ranging from a flip of a coin, to a much more prescriptive and analytical approach. I’ve heard some companies calculate their risk by determining if something bad happens:
- Will the CEO go to jail?
- Will the company suffer crippling fines, penalties or potential legal liabilities?
- Will the cost of a preventative solution outweigh the costs of what the company would pay in the worst case scenario?
Unsurprisingly, this approach lends itself to a lot of speculation.
A more analytical approach allows a company to establish a more repeatable process. Perhaps the most important thing for a risk officer or compliance expert to consider is what they actually define as risk in their organization. Analysis of this risk requires a balance of standards, exposure and what that means to your business.
Implementing a Risk-Based Approach
The new European Union General Data Protection Regulation (GDPR) creates an interesting shift in this paradigm. It essentially mandates that companies use a risk-based approach based on harm to individuals — referring to what would happen to an individual if their data was lost or stolen — to manage their privacy and data protection programs.
While this sounds like a bit of legalize, and may make IT professionals squirm at the idea of lawyers measuring shades of gray, it’s relatively simple to find meaningful ways to operationalize this requirement.
A robust risk management program not only involves surfacing or identifying risk, but also should include the ability to audit and limit risk. You must identify risk and rate it, as well as determine the likelihood of your organization being impacted by the same issue in the future.
Additionally, you need to establish how the impact of this type of risk compares to other kinds of risks. Finally, organizations must calculate the potential harm to individuals if their data were to be compromised.
Start by taking the time to understand what kinds of data your business handles and how your coworkers use internal systems in their day-to-day jobs. Seeing a “day in the life” of your colleagues will help you understand why and how they need to handle protected data in the course of their daily work. Your time spent will pay off — allowing you to craft solutions that meet their needs, as well as your obligations.
Incorporating Risk Management into all Business Activities
Privacy and security risk management often intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources and risk management for information assets to support responsible, ethical and lawful collection, use, sharing, maintenance and disposition of information:
- Contemplate how data is created and collected by your company: How will you provide notice to individuals about data collection? Provide appropriate levels of choice when it comes to what you do with their data.
- Think about how you are going to use and maintain this data:
- Consider inappropriate access
- Honor the customer or constituent’s choices
- Address concerns around a potential new use or even misuse
- Address concerns around a possible breach
- Ensure that you are properly retaining the data for records management purposes
- Consider who is sharing the data, and with whom: Keep in mind data sovereignty requirements and cross-border restrictions, as well as inappropriate, unauthorized or excessive sharing.
- Ensure appropriate disposition for all data: Keep data for as long as required by records management, statutory, regulatory or compliance requirements. Make sure no inadvertent disposal of sensitive data takes place, while at the same time understanding that as long as you have it in your possession, you run the risk of breach.
- Understand the difference between what can be shared and what should be shared: A good program must continually assess and review who needs access to what types of information. Privacy, security and compliance professionals should work with their IT counterparts to automate controls around their enterprise systems to ensure this is upheld. This will make it easier for employees to do the right thing. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.
While we are not yet at a point where we can reduce privacy, data protection and risk management to a pure mathematical calculation, we are able to create a repeatable process for evaluating risk.
In other words: Measure so you can manage. Conduct ongoing testing, monitoring and assessment to ensure that you have complied with your new guidelines and standards. This will allow you to react and revise your policies and procedures as necessary through evaluation and automated verification.