The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a white paper entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice. This is the first paper in the Centre’s new multi-year Privacy Risk Framework Project. It follows the Centre’s March 2014 Risk Workshop, held in Paris with Centre members, privacy experts, regulators and other stakeholders. The Risk Framework Project is the next phase of the Centre’s earlier work on organizational accountability, focusing specifically on one important aspect of accountability – conducting risk assessments that identify, evaluate and mitigate the privacy risks to individuals posed by an organization’s proposed data processing.
The white paper explores the fundamental question of how the ultimate purpose of privacy laws – to protect individuals from both tangible and intangible harm – can be achieved more effectively in the modern information age. Given the increasing challenges of Big Data, ubiquitous computing and information flows, the Internet of Things and non-consumer facing data processing, organizations require tools that help them implement and comply with applicable legal requirements more effectively and to ensure appropriate prioritization within their privacy programs. The Centre’s Privacy Risk Framework Project seeks to explore the potential of the risk-based approach as one such tool. In addition to a comprehensive study of the various possible applications and uses of the risk-based approach, the Project also seeks to develop a practical methodology for identifying and evaluating specific privacy harms to consumers to facilitate appropriate mitigations and processing decisions by organizations.
The issues addressed in this first paper include an overview of the possible benefits and applications of the risk-based approach, as well as the potential challenges and open questions associated with the approach. The paper addresses the potential uses of the risk-based approach not only by organizations, but also by regulators and policymakers. It also lays out the possible structure of a “risk matrix” for mapping specific processing “threats” (e.g., unexpected data use, improper access to data or loss of data) to specific tangible, intangible and societal harms (e.g., bodily harm, financial harm, reputational harm, embarrassment, discrimination and loss of social trust) in order to evaluate the likelihood and seriousness of any harm and to devise appropriate mitigations based on the actual risks and countervailing benefits to individuals and society.
Next phases of the Project will include a deeper analysis of the role of the risk-based approach as part of organizational accountability, as a component of existing privacy and regulatory regimes, and as a potential tool to address new privacy challenges in the modern information economy.