Right-Size Your Risk Profile: Improving ROI for Data Protection Compliance
Technical and legal controls correlated with mitigating the risk of non-compliance can help reduce the liability exposure and improve ROI.
Why Risk Profile Matters?
The path to navigating data protection risks is often filled with uncertainty. Overestimating the risks stifles growth, and underestimating them can derail the business. At the same time, not all data protection risks are created equal. We have to focus on what matters most to the bottomline. The answer is rarely one-size fits all, but rather based on the company’s unique risk profile.
This blog post is about enabling startups to right-size their risk profile so they can improve the return on their data protection compliance investments.
What is Right-Sizing?
Right-sizing the risk profile is the process of establishing technical and legal controls consistent with the liability exposure of the organization.
The process of right-sizing your risk profile includes three stages: (i) identify the risks, (ii) prioritize the ones that matter the most to the bottomline, and (iii) mitigate the risk of non-compliance via technical and legal safeguards.
Example Scenarios: The following scenarios are illustrative in this regard:
- Data Retention: A company retains personal data of consumers for product analytics purposes. A CA resident asks them to “Delete all data you have about me.” If the company keeps some data, does this retention violate CCPA? [Find out how to identify if this creates a risk in next section]
- Data Sharing: A company’s support vendor uses personal data of the company’s users for an email campaign. The users include CA residents. Does this use violate CCPA? [Find out how to identify if this creates a risk in next section]
- Data Breach: A company's utilities vendor leaks billing data of its users, which include EU and CA residents. Is the company obligated to report the vendor breach to its users, and/or liable for it under GDPR or CCPA or both? [Find out how to identify when this creates a risk in next section]
Let's take a deeper look at right-sizing the risk profile using these three scenarios.
Risk Identification
Performing a privacy gap assessment is usually the starting point of identifying the compliance risks for an organization. In simple terms, it is a risk-based approach that is used to determine the condition of privacy practices across the organization in relation to legislation and best-practice standards.
Here is the primary question that it answers: What compliance requirements apply to you and how well are you meeting them?
The example scenarios identify different risks to an organization, which we explained below.
- Data Retention: Under GDPR and CCPA, users have the right to request data deletion. But companies can, and sometimes need to, retain certain data that falls under recognized exemptions. But unless the data is retained for a valid business purpose, it can create a risk of non-compliance. [Find out whether to prioritize this risk in next section]
- Data Sharing: Under CCPA, companies receiving personal information have restrictions on how they use it. Any use that goes beyond business purpose (considered a "sale") must be disclosed along with a "do not sell" right to opt-out of it (including the use of advertising cookies). If a vendor does not honor these restrictions, it can create a risk of non-compliance. [Find out whether to prioritize this risk in next section]
- Data Breach: GDPR and CCPA impose certain obligations and liabilities on companies for data breach incidents. The obligations include breach notification when certain conditions are met. Both also provide exemption from liability under certain conditions. If a company is not taking adequate measures to avoid or manage data breaches, it creates a risk of non-compliance. [Find out whether to prioritize this risk in next section]
Risk Prioritization
Alongside the gap assessment, a data protection impact assessment (DPIA for short) should be performed to prioritize the compliance risks identified for the organization. In simple terms, a DPIA describes a process designed to highlight the highest priority risks arising out of the processing of personal data with the intention to mitigate them as much and as early as possible.
Here is the primary question that it answers: What are the highest priority risks that apply to you and how are you mitigating them?
For the risks identified in the example scenarios, the prioritization would depend on following factors:
- Data Retention: Purpose of retention vs. extent of deletion. The purpose for which data is retained, together with how much of it exists in how many different systems, will inform how much the organization should prioritize this issue. The lesser aligned the purpose is with the expected use, and the greater the extent of deletion, the greater is the potential risk of non-compliance, and higher the priority. [Find out how to optimally mitigate this risk in next section]
- Data Sharing: Extent and purpose of sharing. The extent of shared data (such as how much of it is shared with how many applications), together with the ability to restrict sharing (including use of advertising cookies) that is inconsistent with the restrictions on use, will inform how much the organization should prioritize this issue. The greater the extent and lesser the ability, the greater is the risk of potential non-compliance, and higher the priority. [Find out how to optimally mitigate this risk in next section]
- Data Breach: Residency and security of data. The residency of data subjects and the reasonableness of security safeguards in place will inform how much the organization should prioritize this issue. The greater the number of data subjects from regulated regions, and the lesser the degree of reasonable safeguards, the greater is the risk of potential non-compliance, and higher the priority. [Find out how to optimally mitigate this risk in next section]
Risk Mitigation
A risk mitigation strategy should include technical and legal controls correlated with mitigating the risk of non-compliance (i.e. likelihood and/or cost of a regulatory violation) in order to reduce the liability exposure of the organization.
Here is the primary question that it answers: What combination of technical and legal controls optimally reduces your liability exposure for the prioritized risks?
For the risks prioritized in the example scenarios, the following mitigation strategies may help to optimally reduce liability exposure:
- Data Retention: In this case, the purpose for data retention is product analytics and the applicable law is CCPA. If the data retained for this purpose is purely for internal use, then it is exempted under CCPA. (Other examples include analysis of log data for security.) This addresses the legal control. The technical control would be a process that deletes this data when the product analytics use case is no longer applicable (at which point the data would become subject to deletion). Whether this would be a manual, ad-hoc process (such as custom scripts) or a robust, automated process (using software tools) depends on the extent of deletion as previously discussed, and would become a consideration when implementing the control.
- Data Sharing: In this case, the purpose of data use is marketing, which is inconsistent with the business purpose of the vendor, which is support. Data shared in this manner can lead to data breach liability, such as in the case of Clearview AI and Cambridge Analytica, due to inappropriate sharing of personal data with third parties. To avoid the risk of liability, the company should ask the vendor to contractually agree to a restriction on such use (for e.g., ask the vendor to certify themselves as a "Service Provider" under the CCPA). This addresses the legal control. The technical control will be the process to monitor and block any data sharing APIs or tracking cookies by this vendor that violate this restriction. Whether this would be a manual, ad-hoc process (such as code reviews) or a robust, automated process (using software tools) depends on the extent of sharing as previously discussed, and would become a consideration when implementing the control.
- Data Breach: In this case, the data subjects belong to both EU and CA, so both GDPR and CCPA apply. Both laws generally require notification of a data breach, but also provide an exemption to this requirement if the data is encrypted. In terms of liability, CA residents can bring action under CCPA for violations resulting from lack of reasonable security. Having encryption at rest is the recommended technical control to reduce data breach burden. Having a robust breach response retainer (including a well-documented incident response plan) will be the recommended legal control, ideally supplemented by a third-party attestation against an acceptable industry standard (such as ISO-27001 or SOC-2 audit). These controls add to your ability to demonstrate the reasonableness of your cybersecurity program, which can be the last line of defense in mitigating data breach liability.
Conclusion
In summary, the process of right-sizing your risk profile involves performing a gap assessment to identify the risks, performing an impact assessment to prioritize the ones that matter the most, and implementing technical and legal controls to mitigate the risk of non-compliance.
Running the three scenarios through this process, you can start to picture how you may design and implement a data protection strategy for your own program, and what trade-offs you may consider, in order to reduce the liability exposure of your organization.
Connect with us
If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.