Protect your privacy – risks and controls Protect your privacy – risks and controls

We are living in a constantly evolving context where companies process more and more data using new technologies and artificial intelligence to get the most out of the data. However, this technology-driven world can expose your data to sever risks. 

Data is so valuable that it is considered "the new oil" or "the new gold". Some experts even speak of a 4th industrial revolution at the heart of which is data. Nowadays, data is constantly processed, transferred, communicated and, therefore, the probability of failure is substantially higher, leading to following key risks:

• Reputational risk: the reputation of a company is a very delicate element that could collapse even due to a small oversight error. It is not only strictly related to data breaches and their consequences with in the press, but also to data subjects’ complaints that could result in very impactful newspaper articles;
  
  
• Operational risk: inadequate protection of personal data could expose your data to malware attacks and result in the loss or unavailability of data. This could additionally have an impact on business continuity by creating slowdowns or paralysis of your business processes;
  
  
• Economic risk: reputational and operational risks could most likely also have economic effects. In addition to costs relating to the temporary interruptions of your company’s business, costs to regain control on leaked data as well as costs to notify clients and authorities can be very high, as are the penalties given in case of non-compliance with the relevant privacy laws or regulations. For example, in Switzerland penalties can be up to CHF 250,000 and are aimed at natural persons.

To mitigate and reduce these risks, companies must define and implement privacy controls, and monitor the outcomes closely. It's then necessary to distinguish between two categories of controls: 

• Setup controls
• Operation controls.

Setup controls are those aimed at verifying the maturity level of a company's privacy structure. These are the controls performed typically during the so-called gap analysis or privacy assessment. They can be carried out during the implementation of the company's privacy structure or during an audit after a few years following implementation.

The steps to implement setup controls are mainly:

1. Mapping the relevant privacy areas in accordance with the applicable privacy laws or regulations;
2. Identifying setup controls for each privacy area (e.g. in the area of Data Protection Impact Assessment (DPIA), the setup control may be aimed at verifying if there’s a DPIA process in place);
   
3. Performing controls through interviews with impacted business units (e.g., Marketing, HR, etc.);
   
4. Analyzing the technical and organizational measures that have been implemented;
   
5. Identifying the level of maturity for each privacy area.

However, the existence of setup controls does not guarantee the company's compliance, because it is also necessary to monitor whether the privacy structure is adhered to in the day-to-day operation of the company. This is where the operation controls come in. 

In order to define operation controls suited to a company, a risk assessment has to be performed that identifies the key reputational, economic and operational risks. These risks will then be monitored on an ongoing basis through operation controls. For each operational control, one or multiple KPIs are defined. 

The set of the defined operation controls and the related KPIs form the privacy control framework. Three elements have to be considered when defining a privacy control framework:

1. Periodicity of controls to ensure that they are executed on a regular basis;
2. Compliance thresholds, the so-called risk appetite, to be able to easily identify areas with acceptable risk and areas in which escalation is required;
3. Periodicity of reporting: following the concept of accountability, these areas should be monitored, documented and then reported periodically to defined recipients (DPO, Management, etc.). 

Controls have to be periodically re-examined as they may not be effective or because there may be changes:

• At the legislative level: new regulations and laws, but also new guidelines or authorities' clarifications, may lead to impactful modifications;
• At the risk level: the adoption of new technologies or the discovery of new threats may increase the risk level of certain areas and, therefore, require the development of new controls;
• At the level of company structure: new controls should be defined in the event of a company's expansion or growth, as new areas may have to be checked;
• At the level of processes and processing activities: new activities, processes, campaigns, events may require the creation or the integration of new processing activities that have to be controlled.

Keep in mind that the review and re-execution of controls must be carried out on a regular basis from a continuous improvement perspective, to monitor and improve the company's level of compliance with the privacy regulations in an ongoing manner.