GDPR is quickly approaching and many companies are scrambling to implement people, processes and technologies to meet its mandates. Much talk has been around how to assess the impact of risk mitigation initiatives for “high risk” processing activities, a key focus of the regulations.
Without a structured way of identifying top risks, prioritizing initiatives and measuring the impact of mitigation efforts, organizations will struggle with understanding the cost-benefit of data privacy initiatives.
1. Identifying Actual “High Risks”
GDPR provides some guidance on what are considered “high risk” like “large scale” processing, “systematic and extensive evaluation” and “systematic monitoring”, but will rely on organizations to interpret on a case-by-case basis through risk assessments.
Being able to quantify and put monetary values on risk can help identify high risk activities and end religious debates between organizations and regulators who may have previously used qualitative means to measure risk, which can be highly subjective.
It can also eliminate the need to take further action (additional risk assessments and Data Privacy Impact Assessments) on activities that represent low risk, saving valuable time and resources that should be focused elsewhere.
2. Prioritization of Mitigation Efforts
When high risk activities are identified, prioritizing mitigation efforts based on quantitative values in financial terms will allow organizations to cost-effectively apply resources to the activities that need them the most. It will also create transparency between organizations, Data Protection Officers and regulators with oversight.
3. Measuring Risk Reduction and Residual Risk
Being able to effectively apply risk mitigation efforts will be critical for organizations that want to keep key business processes running smoothly and avoid hefty fines from operating at risk levels not approved by regulators.
Again, this is where quantifying risk reduction in monetary terms can create the necessary transparency to show regulators that you have mitigated risk down to an acceptable level.
If regulators approve the operations at those residual levels, the burden will shift to regulators and organizations will have the means to defend their actions and avoid those hefty fines.
It will also allow companies to right-size their mitigation efforts, so that they are not spending too much or too little on controls to bring risk down to an acceptable level.
The Bottom Line
GDPR will force many organizations to adopt a risk-based approach to security and data protection. This will pose a significant challenge for many companies, that to date have relied on compliance based approaches. It will no doubt also mean significant investments in security programs to avoid large fines.
Using a model like FAIR to quantify risk in financial terms can provide the impetus needed to meet the mandates of GDPR and do it in the most cost-effective way possible, avoiding wasteful spending and resource allocation.
RiskLens can help you leverage the FAIR model for GDPR. Schedule a demo now.