According to the GDPR - The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Risk management should prevail for both existing as well as planned operations.
In risk assessment of regular data processing, the risks are estimated based on their potential impacts to the organisation. In the case of personal data processing however, the impacts are considered with regard to the freedoms and rights of individuals (data subjects).
Risks are composed by one feared event (what do we fear?) and all the threats that make it possible (how can this occur?). So, we see that – the impact of a potential personal data breach to the data subject is a major aspect of the risk assessment and management.
In the privacy arena, the primary assets of processing of personal data are – the processes themselves as well as the personal data being processed. These primary assets are dependent on supporting assets (hardware, software, networks, people…), so the question becomes – how vulnerable are the supporting assets to threats posed, how effective are any controls that may be in place (or planned), what are the impacts should those threats materialise and, how do you treat the remaining (residual) risk?
The Approach – Summarised
The following is a high-level summary of the required steps. You are encouraged to review the content at the end of this article where we provide suggestions and examples that support this summary.
These are the main steps.
- Compile a list of threats and determine the severity of any impact
- Assess the likelihood of the threats materialising
- Document any existing or planned measures to reduce vulnerability of supporting assets
- Compile a map of the risks – severity vs. likelihood
- Reposition any risks that may be impacted by applying existing or planned measures
- Determine whether any residual risk will be accepted
Compile a detailed and prioritised list of all feared events that may affect the processing operation under consideration.
Which primary assets need to be protected?
What supporting assets are used for the primary assets?
What are the relevant sources of the risks?
Assess the level of identification (1 – 4) of personal data (how easy is it to identify data subjects?)
What are the prejudicial effects of potential impacts (1 – 4)?
Determine severity by adding the 2 levels
Be aware – regular review of severity levels is important. For example, an increase in the number of data subjects could raise the level by 1, taking it to say, ‘Significant’. Conversely, a reduction could have the opposite effect.
The aim is to arrive at the following type of analysis.
For each threat, estimate the vulnerabilities of the supporting assets (using values 1 – 4)
Estimate the capability of risk sources to exploit the vulnerabilities (using values 1 – 4)
Determine the likelihood of the threats materialising by adding the 2 sets of values
Again, be aware that likelihood could change by adding other or removing existing factors.
Now, let’s add the likelihood analysis to the risks table from earlier.
What we have done thus far allows us to map the risks (severity vs. likelihood) in order to determine the order in which they should be treated. What can we observe from our example?
Risk no. 2 has maximum severity with significant likelihood
Risk no. 1 has significant severity with maximum likelihood
Risks no. 3 and 4 had limited severity so we chose not to include them in the likelihood analysis
Finally, in this section, the organisation must set objectives based on where the risks are located in the map e.g. what to do about risks with both a high severity and high likelihood etc.
First of all, risk-treatment measures must be determined. This is done by linking existing or planned measures to the risks they help to treat. Subsequent measures (which will re-estimate severity and likelihood) are added until the risk level is finally considered acceptable.
The additional measures must cover, in priority and cascading fashion, the primary assets, then if insufficient, the potential impacts, and if that’s insufficient, the risk sources and then finally, the supporting assets. Then you will have risks that remain after the additional measures have been applied – residual risk.
Finally, the organisation’s risk framework should have rules which explain why residual risks may be accepted.
END OF SUMMARY
Suggestions and Examples
The feared event describes the scenario and the potential impacts, should that scenario materialise. In those scenarios we wish to avoid the following:
- change in processing – lawfulness; impact on data subject’s rights;
- illegitimate access to personal data – confidentiality;
- unwanted change in personal data – integrity;
- disappearance of personal data – availability
Examples of Feared Events
Data on the habits of employees are illegally collected and used by their superiors to direct research evidence to fire them.
Coordinates are retrieved and used unlawfully (spam, targeted advertising).
Identities are spoofed to perform illegal activities on behalf of data subjects, the latter facing criminal prosecution.
Following an unwanted modification of health data, patients are inadequately taken care of, worsening their condition and even causing disability or death.
For a feared event to occur, there must be one or more risk sources that could cause it, accidentally or even deliberately. Risk sources may be:
- Internal – employee: user, computer specialist
- External – recipient, provider, competitor, authorised third party
- Non-human – computer virus, natural disaster, pandemic
Risk sources could act on various supporting assets which may include hardware, software, networks, people, paper media and related transmission channels.
The action of the risk sources on supporting assets may happen through different threats:
function creep: supporting assets are diverted from their intended context of use without being altered or damaged;
espionage: supporting assets are observed without being damaged;
exceeded limits of operation: supporting assets are overloaded, over-exploited or used under conditions not permitting them to function properly;
damage: supporting assets are partially or completely damaged;
changes: supporting assets are transformed;
property losses: supporting assets are lost, stolen, sold or given away, so it is no longer possible to exercise property rights;
Examples of Threats
- A malicious attacker injects unexpected queries in the form of a website.
- A competitor, visiting incognito, steals a portable hard drive.
- A staff member removes tables from a database by mistake.
- Water damage destroys the computer servers and telecommunications.
What consequences could each feared event have on the identity and privacy of data subjects if:
The processing operation was modified?
An unauthorized person accessed personal data?
Personal data were modified?
Personal data disappeared?
Levels of risk: how to estimate them - The risk level is estimated in terms of severity and likelihood
Severity represents the magnitude of a risk. It essentially depends on the level of identification of personal data and the level of consequences of the potential impacts.
Likelihood represents the feasibility of a risk to occur. It essentially depends on the level of vulnerabilities of the supporting assets facing the level of capabilities of the risk sources to exploit them.
Feared events are ranked by determining their severity based on the level of identification of personal data and the prejudicial effect of these potential impacts.
Determining the level of identification – in other words, how easy is it to identify data subjects? - take a look at the following suggestion.
1. Negligible: Identifying an individual using their personal data appears to be virtually impossible (e.g. searching throughout a population register using only an individual's first name).
2. Limited: Identifying an individual using their personal data appears to be difficult but is possible in certain cases (e.g. searching throughout a population register using an individual's full name).
3. Significant: Identifying an individual using their personal data appears to be relatively easy (e.g. searching throughout a population register using an individual's full name and date of birth).
4. Maximum: Identifying an individual using their personal data appears to be extremely easy (e.g. searching throughout a population register using an individual's full name, date of birth and mailing address).
The value of the level that best matches the personal data identified is then selected. Any existing or planned measures that make personal data less easily identifiable should be listed as justification.
Next, the prejudicial effect of each feared event should be estimated. In other words, how much damage would be caused by all the potential impacts?
1. Negligible: Data subjects either will not be affected or may encounter a few inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.)
2. Limited: Data subjects may encounter significant inconveniences, which they will be able to overcome despite a few difficulties (extra costs, denial of access to business services, fear, lack of understanding, stress, minor physical ailments, etc.)
3. Significant: Data subjects may encounter significant consequences, which they should be able to overcome albeit with serious difficulties (misappropriation of funds, blacklisting by banks, property damage, loss of employment, subpoena, worsening of state of health, etc.)
4. Maximum: Data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (financial distress such as substantial debt or inability to work, long-term psychological or physical ailments, death, etc.)
The value of the level that best matches the potential impacts identified is then selected. Any existing or planned measures that make these potential impacts less harmful should be listed as justification.
Finally, the severity is determined by adding the respective personal data level of identification and prejudicial effects of potential impacts values obtained.
Since a threat is a possible action by risk sources on supporting assets, the supporting assets should be identified and estimated for each threat.
First, the vulnerabilities of the supporting assets are estimated for each threat. In other words, to what degree can the properties of supporting assets be exploited in order to carry out a threat?
1. Negligible: Carrying out a threat by exploiting the properties of supporting assets does not appear possible (e.g. theft of paper documents stored in a room protected by a badge reader and access code).
2. Limited: Carrying out a threat by exploiting the properties of supporting assets appears to be difficult (e.g. theft of paper documents stored in a room protected by a badge reader).
3. Significant: Carrying out a threat by exploiting the properties of supporting assets appears to be possible (e.g. theft of paper documents stored in offices that cannot be accessed without first checking in at reception).
4. Maximum: Carrying out a threat by exploiting the properties of supporting assets appears to be extremely easy (e.g. theft of paper documents stored at the front desk).
The value of the level that best matches the supporting asset vulnerabilities identified is then selected.
Next, the capabilities of risk sources to exploit vulnerabilities (skills, available time, financial resources, proximity to system, motivation, feeling of impunity, etc.) are estimated for each threat.
1. Negligible: Risk sources do not appear to have any special capabilities to carry out a threat (e.g. software function creep by an individual acting without malicious intent and who has limited access privileges).
2. Limited: The capabilities of risks sources to carry out a threat are limited (e.g.: software function creep by a malicious individual with limited access privileges).
3. Significant: The capabilities of risk sources to carry out a threat are real and significant (e.g. software function creep by an individual acting without malicious intent and who has unlimited administration privileges).
4. Maximum: The capabilities of risk sources to carry out a threat are definite and unlimited (e.g. software function creep by a malicious individual with unlimited administration privileges).
The value of the level that best matches the risk sources identified is then selected.
Finally, the likelihood of the threats is determined by adding the values obtained for the vulnerabilities of the supports and the capabilities of the risk sources.
Mapping the risks
Since a risk consists of a feared event and all the threats that may allow it to occur:
its severity equals that of the feared event,
its likelihood equals the highest likelihood value of the threats associated with the feared event.
The risks can then be mapped.
Objectives may be set based on where risks are located on the map (in order of priority)
1. Risks with a high severity and likelihood absolutely must be avoided or reduced by implementing security measures that reduce both their severity and their likelihood. Ideally, care should even be taken to ensure that these risks are treated by independent measures of prevention (actions taken prior to a damaging event), protection (actions taken during a damaging event) and recovery (actions taken after a damaging event).
2. Risks with a high severity but a low likelihood must be avoided or reduced by implementing security measures that reduce either their severity or their likelihood. Emphasis must be placed on preventive measures.
3. Risks with a low severity but a high likelihood must be reduced by implementing security measures that reduce their likelihood. Emphasis must be placed on recovery measures.
4. Risks with a low severity and likelihood may be taken, especially since the treatment of other risks should also lead to their treatment.
Risk-treatment measures must be determined. This is done by linking existing or planned measures to the risks they help to treat. Subsequent measures are added until the risk level is finally considered acceptable.
This consists in determining additional measures that will cover:
1. The primary assets: measures designed to prevent security breaches, to detect such breaches or to restore security (informing data subjects, keeping personal data to a minimum, anonymisation of personal data, etc.).
2. Then, if the above is insufficient, the potential impacts: measures designed to prevent the consequences of risks from occurring, to identify and limit their effects or to curb them (making of backups, integrity checks, management of personal data breaches, etc.).
3. Then, if the above is insufficient, the risk sources: measures designed to prevent risk sources from acting or making a risk real, to identify and limit their impact or to cause them to backfire (physical and logical access control, activity tracking, management of third parties, protection against malicious codes, etc.);
4. Finally, if the above is insufficient, the supporting assets: measures designed to prevent the exploitation of vulnerabilities, to detect and limit threats that do occur or to restore the normal operating condition (reducing the vulnerabilities of software, hardware, individuals, paper documents, etc.)
Next, the severity and likelihood of the residual risks (i.e. risks that remain after the selected measures are implemented) should be re-estimated by factoring in these additional measures. They can then be re-positioned on the map.
Finally, explanations about why residual risks may be accepted should be given. These explanations may be based on the new severity and likelihood levels and on the benefits offered by the processing operation identified previously (risk-benefit analysis) by applying the following rules.
1. Risks with a high severity and likelihood must not be taken.
2. Risks with a high severity but a low likelihood may be taken only if it is demonstrated that their severity cannot be reduced and if their likelihood is negligible.
3. Risks with a low severity but a high likelihood may be taken only if it is demonstrated that their severity cannot be reduced and if their likelihood is negligible.
4. Risks with a low severity and likelihood may be taken