Privacy Risk

Privacy management programs reduce the following privacy risks:

  1. Risk of Non-Compliance
    Discovering an instance of non-compliance, possibly through an audit, assessment, or investigation, will necessitate changes in operational or business practices. This could be costly to implement and/or negatively impact profitability and revenue.

  2. Risk of Enforcement 
    Regulatory investigation, or any activity driven by regulatory oversight, will likely require a significant investment of resources; in particular, one or more employees will need to dedicate a significant amount of time to deal with the Regulator. Additionally, the outcome of any interaction with the Regulator may have significant consequences for the organization, for example, the Regulator may identify non-compliance and/or impose a monetary penalty.

  3. Risk of Data Breach
    The impact of a data breach can range from a time-consuming investigation, costly notifications and remediation, reputational damages, and loss of business. A number of studies relate to the cost of data breaches, such as the Ponemon Institute’s, “2014 Cost of Data Breach Study,” the Smart Card Alliance’s, “The True Cost of Data Breaches in the Payments Industry,” and the UK Department for Business, Innovation and Skills study, “2014 Information Security Breaches Survey.”

  4. Contractual Risk 
    Failure to meet contractual obligations related to privacy poses a significant risk to organizations, particularly to data processors, as contractual violations may lead to the loss of a contract as well as loss of future business.

  5. Risk to Data Subject 
    Misuse of personal data may lead to individual harm which may take the form of loss of income, other financial loss, reputational damage, discrimination, and other harms.

  6. Merger and Acquisition Risk 
    The risk of non-compliance is now typically evaluated by an organization through the due diligence process during a merger or acquisition. Discovery of a business practice that is non-compliant, or even outside the organization’s notice statement, could have a very significant impact on the valuation of the merger or acquisition.

  7. Ethical Risk 
    In some cases, the organization may be technically compliant in regards to the processing of personal information, but may still not be considered ethical. In many jurisdictions with long-established privacy and data protection regulations, the laws were not written in contemplation of modern business practices and technological advances, and therefore do not address privacy issues that have arisen due to these technological advances. Because of this, ethical risk is of particular consideration in areas such as cloud computing, big data, and the Internet of Things.

  8. Demonstrating Accountability Risk
    As well as complying with the letter of the law, Regulators increasingly expect organizations to be accountable, i.e., to be able to demonstrate effective privacy management. Organizations that cannot demonstrate their effective privacy management program may find themselves at an increased risk, particularly as the concept of accountability is being built into future laws and regulations around the world.

  9. Demonstrating Compliance Risk
    Similar to accountability risk outlined above, new laws around the world are introducing the concept of demonstrating compliance within the law itself. 

  10. Lost Revenue Opportunities
    Organizations can sometimes mistakenly interpret privacy law too strictly, and place unnecessary restrictions on business practices in the name of compliance. This could result in lost revenue opportunities and potentially places the organization at a competitive disadvantage.

  11. Career Risk
    The careers of the CEO, senior management, and even the privacy officer could be adversely impacted due to some of the privacy risks outlined above. 

  12. Privacy Notice Risk
    Risk associated with providing an inaccurate or misleading public declaration of the organization’s collection, use or disclosure of personal data. In the US, Regulators have brought enforcement actions against companies based on failure to honour privacy representations, inadequate transparency, and failure to honour consumers’ choices. For example, in specific US sectors (e.g. health and financial), in some US State laws, and in many other jurisdictions around the world, maintaining an accurate privacy notice is mandated by law. In all instances, privacy and data protection Regulators review privacy notices during an investigation or audit.

  13. Reputational Risk
    For consumer-facing organizations, public and health sector organizations, and even business-to-business organizations, public knowledge of non-compliance, including a data breach, can cause significant reputational damage even though this is hard to quantify. While some may argue that “good privacy” benefits a brand, it is certain that “bad privacy” can lead to brand degradation.

Managing Privacy and Data Protection Risk

Privacy management programs are made up of privacy management activities found in the Nymity Privacy Management Accountability Framework™. Even though all activities may reduce privacy risk, subsets of the activities are specifically focused on privacy risk assessment activities. Nymity’s research has identified 14 different privacy management activities that organizations implement to assess privacy risk and according to a 2014 Nymity accountability benchmarking study, on average, organizations have implemented 3 of these activities and plan to implement 2 more.

Stay Informed

Subscribe now and receive regular updates on Nymity developments, research,
tools, events, and other valuable resources for the Privacy Office.
© 2002-2018 Nymity Inc. All Rights Reserved