What types of data protection risk are there?
Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be?
There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data.
Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions.
We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements.
International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk.
Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage.
The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie.
Data protection principles
1. Lawfulness, fairness and transparency
Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide
2. Purpose limitation
Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain.
Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future?
Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us.
5. Storage limitation
Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance
6. Information Security
Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred?
Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance
The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach.
Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone.
We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention.
In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide.
Mistakes can happen
Here are some issues or gaps which could lead to data protection risks coming to the surface.
- People-related risks – such as lack of training and lack of governance or ownership
- Process risks – such as poor data handling procedures or manual processing on Excel / Sheets.
- Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes.
If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging.
Listen back to our online discussion: Managing and Assessing Data Protection Risks