The Impact in Impact Assessments
'Impact' isn't a new term as far as business risk assessments go, it's central to the whole thing, everyone knows what it means. Except now you don't, because once again the subject of Privacy wants to mess with you. I'm beginning to take this personally.
Traditionally risk assessments are about business impact, things like?profits and company viability. Harm to individual customers is only represented, if at all, by the likelihood of that harm having an impact on the business that's even worth recording. This perspective drives the cost/benefit analysis of controlling a risk.
Imagine you run a large business storing electronic information for customers, and a breach of your security is likely to cost you $25,000 every 5 years on average (loss of customers, bad press, fines, etc.), and the costs of putting in better security are $50,000 over 5 years. Do you put that better security in place? No, not if you're making purely logical financially based decisions.?You run with what you already have and accept that breaches will happen and it'll set you back $25,000, that's $5,000 a year, if it actually even happens. An accepted cost of doing business.
Once Privacy gets involved everything changes.?The basis of the risk assessment is no longer the company, it's about personal impacts on every individual data subject. The impacts that must be considered also go beyond easily quantifiable financial values and include such things as emotional and mental distress.
领英推荐
If a data breach might cost an individual just $1,000 the impact of that is likely to be many times greater, exponentially greater, than $25,000 to a large business. Even the possibility that it might happen because the business?chose?not to have better security could cause a customer emotional and mental distress. If it did happen the possibility that their personal data is now in hands of criminals and will be so forever may cause a level of anxiety the victim has to live with forever. If they decide they need to pay for services to monitor their credit and identity every year then a degree of financial cost is also going to be continual, not just whatever one off damage they suffered.
These are the discussions that need to happen when the processing of personal data is involved. Not "is the company willing to accept this $20,000 risk when the cost of reducing it is $50,000?" but "is it legal, fair, and reasonable of us to expose all of our customers to this $1,000 risk when the cost of reducing it is $50,000?".??The answers might not be the same.
And, to be clear, you don't need to ask those questions because of any optional and subjective notion of morals or ethics, you have to ask them because the black and white of the law demands it.
Data Trust Consultant | Enterprise Meme Generator
1 年Fantastic post Dan. Clear, concise, and personal. You mentioned ethics which I think is often overlooked when companies discuss the status of their data privacy posture. Aside from the financial roadblock, what other factors do you think deter organizations from taking action towards improving privacy?