The Impact in Impact Assessments

The Impact in Impact Assessments

'Impact' isn't a new term as far as business risk assessments go, it's central to the whole thing, everyone knows what it means. Except now you don't, because once again the subject of Privacy wants to mess with you. I'm beginning to take this personally.


Traditionally risk assessments are about business impact, things like?profits and company viability. Harm to individual customers is only represented, if at all, by the likelihood of that harm having an impact on the business that's even worth recording. This perspective drives the cost/benefit analysis of controlling a risk.


Imagine you run a large business storing electronic information for customers, and a breach of your security is likely to cost you $25,000 every 5 years on average (loss of customers, bad press, fines, etc.), and the costs of putting in better security are $50,000 over 5 years. Do you put that better security in place? No, not if you're making purely logical financially based decisions.?You run with what you already have and accept that breaches will happen and it'll set you back $25,000, that's $5,000 a year, if it actually even happens. An accepted cost of doing business.


Once Privacy gets involved everything changes.?The basis of the risk assessment is no longer the company, it's about personal impacts on every individual data subject. The impacts that must be considered also go beyond easily quantifiable financial values and include such things as emotional and mental distress.


If a data breach might cost an individual just $1,000 the impact of that is likely to be many times greater, exponentially greater, than $25,000 to a large business. Even the possibility that it might happen because the business?chose?not to have better security could cause a customer emotional and mental distress. If it did happen the possibility that their personal data is now in hands of criminals and will be so forever may cause a level of anxiety the victim has to live with forever. If they decide they need to pay for services to monitor their credit and identity every year then a degree of financial cost is also going to be continual, not just whatever one off damage they suffered.


These are the discussions that need to happen when the processing of personal data is involved. Not "is the company willing to accept this $20,000 risk when the cost of reducing it is $50,000?" but "is it legal, fair, and reasonable of us to expose all of our customers to this $1,000 risk when the cost of reducing it is $50,000?".??The answers might not be the same.


And, to be clear, you don't need to ask those questions because of any optional and subjective notion of morals or ethics, you have to ask them because the black and white of the law demands it.

Tony Vinokur

Data Trust Consultant | Enterprise Meme Generator

1 年

Fantastic post Dan. Clear, concise, and personal. You mentioned ethics which I think is often overlooked when companies discuss the status of their data privacy posture. Aside from the financial roadblock, what other factors do you think deter organizations from taking action towards improving privacy?

回复

要查看或添加评论,请登录

Dan C.的更多文章

  • An Introduction to Privacy #3: Let the Fun Begin ????

    An Introduction to Privacy #3: Let the Fun Begin ????

    You've all been incredibly patient, and here's where it starts to pay off. We can leave that pure theory aside (well…

    7 条评论
  • What Is Personal Data?

    What Is Personal Data?

    Everything Well, more or less. A touch flippant perhaps, probably not what you expected, and I’m pretty sure it wasn’t…

    17 条评论
  • Introduction To Privacy #1

    Introduction To Privacy #1

    Module 1: Foundations Lesson: Thinking Styles and What is a Data Subject? Introduction Now Introductions are out of the…

    17 条评论
  • Compliance 3.0: Taking Care of Business

    Compliance 3.0: Taking Care of Business

    Well, here we are at the final part of my introduction to Compliance 3.0, just takin' care of business ?? The previous…

    2 条评论
  • Cooking Up Compliance 3.0: The Cost/Benefit

    Cooking Up Compliance 3.0: The Cost/Benefit

    As my dad always says, “cooking is an art, baking is a science” and Compliance 3.0 is most definitely cooking ????…

    11 条评论
  • Mastering Compliance 3.0 to Achieve Business Goals

    Mastering Compliance 3.0 to Achieve Business Goals

    Compliance is often seen as a restrictive, thankless function that at best adds no business value, and at worst…

    7 条评论
  • Huzzah for Pack Rats!

    Huzzah for Pack Rats!

    I'm a pack rat, mostly of nuts and bolts, but also data. You heard me, also data! There's nothing wrong at all with…

    1 条评论
  • Ransomware Pirates Want Your Data!

    Ransomware Pirates Want Your Data!

    Ransomware attacks are a sad reality of life these days, they can strike out of the (deep) blue (sea) and affect your…

  • Ripping out ROT: Improving Your Privacy Governance

    Ripping out ROT: Improving Your Privacy Governance

    Data ROT removal is a skill that we can master. It can help us protect our data privacy, comply with regulations, and…

  • Why DPO's Make Good Beer

    Why DPO's Make Good Beer

    How being a DPO makes me a better brewer (and vice versa) ?? #theaccidentaldpo ?? Do you know what I love to do in my…

    5 条评论

社区洞察

其他会员也浏览了