Risk response and mitigation in data privacy
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Company XYZ’s customer contact centre sends out music a ticket containing address, name, payment information to an individual who is not expecting it. Over the next couple of weeks, the intended customer makes an inquiry about her ticket. Company XYZ claims that they sent the ticket, and the customer should have received it.
Some days later, the individual who received the ticket called the company to inform them that there is a ticket in his house which he didn’t order. He ordered for a boxing match and not for a music concert. The person who ordered for a music concert now got the tickets for a boxing match.
In this scenario, the tickets were sent to the wrong individuals containing various personal information. And this poses a privacy risk and could lead to a rapid increase in customer distrust if the company does not address this.
There is risk in every organisation and smart organisations figure out how to deal with those particular risks. In the above example, the risk can be avoidable or can be prevented by simply teasing out the business process and understanding what went wrong. Another area might be the information they put on those tickets, does it serve any purpose if we put the full name of a customer on a ticket or should we use an identifier.
Mitigating the incident above needs planning, carrying out some job, checking that the new procedure meets accepted standards, and of course, adjusting the entire structure to curb the risk in the future.
Most companies can consider using the NIST risk management framework when dealing with data privacy risks. This framework consists of six steps. It includes categorising information systems, selecting security controls, implementing security controls, assessing security controls, authorising information systems and monitoring security controls.
This framework often helps most enterprises understand the risk within their information management systems and helps them tease what they should be doing with those attendant risks.
Data privacy requires businesses to understand the gaps within their business process and categorise those particular risks according to priorities and knowing what type of controls they can put in place to ensure the found risk is immediately mitigated.
In another breath, a particular company decides to hold data because it feels that it would be valuable for them in the future. If they delete those datasets it might be hard to fight any legal battle. These types of companies have agreed to accept this risk in this category.
There are various risk response options. A company can decide whether to avoid a risk, mitigate, share, or accept the risk. All these options are valid, and the organisation should consider reducing risk.
Risk mitigation involves the application of controls that lower the overall level of risk by reducing the vulnerability, likelihood of the threat exploit, or impact to the asset if the risk were to be realised.
For a company to avoid breaches and misdemeanours in their data privacy framework, they need to consider their risk response methodologies, factor in the cost, and understand the lifespan of such risks and come up with the best option. Without this, a company can stroll blindly into a data breach or, in the example above, promote distrust among customers.