It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: October 14, 2024
Published: July 15, 2024
Getting buy-in for privacy resources at your organization and managing your company’s risk profile may seem like two separate–and overwhelming–tasks. But in fact, they are intertwined, and one can support the other. The key is privacy risk quantification. By quantifying privacy risk, you can show how privacy risk relates to other risks in the organization. And by quantifying it in a way that’s easier for stakeholders to understand, you can better communicate the urgency of investing in a comprehensive program and mitigating privacy risk.
At its simplest, privacy risk quantification helps privacy pros understand the magnitude of a risk’s impact on people, the privacy program, and the overall business. Privacy risk can be understood as the likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur. Privacy risk quantification methodologies often also calculate the amount of damage that would happen to their organization if a risk were to occur.
Essentially, a privacy risk quantification would calculate the amount of harm that would happen to a person whose personal information (PI) is being processed if this risk were to occur, and their consequences on the business. The calculation would use preselected categories with corresponding severities to create a risk classification that is directly comparable to other risks that have undergone the same methodology. Without a consistent methodology the risk quantification process would hinder the team’s ability to prioritize identified privacy risks due to the diminished comparability.
Robust privacy assessments are not just a best practice: They are required for most state privacy laws in the United States.
Privacy teams use risk quantification to create clear comparisons between the severity of privacy risks. These comparisons are vital in deciding which risk should be treated first, and how quickly. Without a process to easily order privacy risks, the risk treatment process could inefficiently address significant risks, thereby increasing their probability of being realized.
These comparisons also provide a digestible output for people not well versed in data privacy risk management. They act as an essential resource for stakeholders when building buy-in for risk treatment plans.
For context, risk quantification is a subdomain of a larger process known as a privacy impact assessment (PIA). Privacy risk quantification starts when a PIA uncovers a new risk and has compiled all the necessary information needed to categorize the unique characteristics of this privacy risk.
To embark on a privacy risk quantification exercise, you’ll need a methodology. There are a few ways to develop a plan.
The easiest way to develop a methodology is to borrow what’s already in place at your organization. Check with your cybersecurity team to see if they have an internally developed cyber risk methodology, or an externally developed methodology of choice. You can use it as a blueprint but keep in mind: Cyber risk and privacy risk are closely associated but are not the same thing. To tailor a cyber risk plan for privacy, you’ll need to add in calculations that account for the potential harm to individuals who have Personally Identifiable Information (PII) being processed.
If there isn’t a clear guideline you can borrow from, you can also build your own methodology from scratch.
How to build your own privacy risk quantification plan
To build a plan, you’ll need to lay out steps to conduct a privacy impact assessment. Here is a checklist of the steps you’ll want to include in your PIA.
Clearly outline the project or process being assessed. Identify the types of PI at risk of being affected and determine the boundaries of the assessment. For example, a Human Resources department looking for a new HRIS would set the scope of the assessment as all PII processing that will occur with this new solution.
Map out how PI moves through your organization. Understand entry points, storage locations, and transmission methods. If you are looking to mature your current process, Osano’s Data Mapping software connects to your Single Sign-On (SSO) provider to automatically discover the systems your organization uses to process PI. When your data stores live outside of your SSO ecosystem, semi-automated assessment workflows help ensure privacy professionals and data store owners stay on the same page.
Understand the ways data is processed, your existing security measures, and potential privacy risks. Take inventory of the people, vendors, or tools that access data and how they can compromise risk mitigation.
Conduct an analysis of your data flow, considering factors such as data sensitivity, purpose, and potential vulnerabilities in your systems. Evaluate the likelihood of these factors exposing consumers to privacy risks and understand the potential consequences.
A few risk quantification frameworks already exist, and you can use them to guide your work. Two of the most common are:
PRAM is a great resource that is free to use. The PRAM tool is a methodology to analyze, assess, and prioritize privacy risks to efficiently mitigate them. PRAM uses the risk model from NIST Internal Report 8062 (NISTIR 8062).
NISTIR 8062 is an Introduction to Privacy Engineering and Risk Management in Federal Systems (Section 3 is most applicable to this article). While directed at federal systems, the guidance and principles are largely agnostic of organizational type. It’s a great resource for any privacy program. The NISTIR 8062 can be seen as a contextual document to better understand the step-by-step walkthrough offered by the PRAM GitHub Resource.
For a more quantitatively driven framework, the FAIR Privacy framework is a great free resource. This quantitative privacy risk framework is based on Factors Analysis in Information Risk (FAIR). Factor Analysis of Information Risk (FAIR™) is an international standard quantitative model for information security and operational risk. The original FAIR provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms. The FAIR Privacy framework adjusts this model to analyze risks to users, and not just to the organization.
In addition to the PRAM tool, NIST provides a scenario-based framework via GitHub, here. An additional resource to familiarize yourself with this framework can be found in the "Quantitative Privacy Risk" presentation from the 2021 International Workshop on Privacy Engineering. While the final outputs will be prescriptive and communicable, the major drawback is its steep learning curve. This type of methodology would best suit a larger organization that has the capacity to do these intricate metric calculations.
Once you have identified and quantified privacy risks, it's time to operationalize privacy risk management. Here's how:
Once your team completes your assessments, the results should feed into a formal privacy risk management framework. This often takes the form of a privacy risk registry spreadsheet. Connect with your cybersecurity team to determine if keeping privacy risks separate from cyber risks is the best course of action, or if they should be combined into a single source of truth. (Whether or not to combine information is largely based on organizational preference.)
The assessment and registry should be managed by a formal framework, there are a few commonly used risk management frameworks. The NIST Privacy Framework is free-to-use resource that seeks to provide a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It is adaptable to any organization’s role(s) in the data processing ecosystem. The NIST framework can be used to help identify and prioritize actions for reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk.
As part of your risk-management framework, focus on developing privacy-enhancing measures to minimize identified risks. These measures may include minimizing data collection, defining retention periods, minimizing use of sensitive PI, and only transferring data externally when absolutely necessary.
As part of your process, it’s critical to compile a detailed report to summarize the PIA’s findings. Clearly communicate any residual risks and steps taken to address them. This documentation should serve as an ongoing reference point for compliance. The cadence of review is dependent on the severity of risk, organizational preference, and specific framework requirements.
The privacy landscape will continue to evolve, and so should your assessments. Regularly review and update your PIA to stay current with the latest processes and ensure ongoing compliance with the latest privacy laws. Check out our article, What Is a Privacy Impact Assessment (PIA) & How to Conduct One, for more information on how to create and update assessments.
Whether you’re planning on conducting your first or fiftieth PIA, remember that you don’t have to navigate the complexities on your own. A comprehensive data privacy solution can support your organization in protecting PI and streamlining compliance efforts. The right solution should help you:
With regular privacy assessments powered by Osano, you can reduce your company’s risk, comply with the law, and, most importantly, protect your customers. Our templated assessments based on industry best practices and our data mapping capabilities simplify the PIA workflow to make the most of your privacy team resources. To learn more about Osano’s approach to assessments, schedule a demo with our team.
Driving innovation and growth across the business. Learn why organizations that invest in data privacy gain a return of up to $2.70 for every dollar spent.
Download Now
Derek Glausser is the Privacy Program Manager at Osano. He has extensive experience conducting privacy assessments, gap analyses, and audits to help companies comply with state, federal, and global regulations and standards.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.