Beyond legal #4: time to up your risk game

Data protection leaders need to move beyond the narrow, compliance-driven definition of risk and learn to articulate data protection failures in the language of their business peers by connecting them to potential impacts that will command the board's attention. This will elevate their status from being a 'necessary evil' to a strategic voice. In this forth post, I want to explore the limitations of the traditional view about risk in data protection and introduce the concept of ripple effects, and provide some pointers for articulating risk in terms the C-suite understands and acts upon.

As in previous posts, I want to align with the SFIA skills framework and Risk Management (BURM) is the primary skill mentioned. There are also various risk methods and models available online and I urge you to dig deep to get a good understanding of the broadness and depth of this discipline.

The dangerous myth of the compliance problem
A couple of years ago, a financial services company in Belgium contacted me after reading one of my posts on Linkedin about risk. They shared a problem that was affecting the perception of their data protection team that was often presenting "high risks" to their data protection board with a strong focus on potential GDPR fines. In rare cases they managed to convince the board to approve huge budgets for projects to implement expensive technical controls, but generally they built a reputation for overplaying the severity of the risks.

Often the conversation with the board stalled. Why? Because the way they presented risk was abstract, a purely compliance concern that was disconnected from the day to day business of the company, its business strategy or P&L statement (depending on who was at the meeting).

Vague risk definitions
In our data protection profession in Europe, we are plagued with confusing definitions that seem to have crept into many data protection leaders' vocabulary. The primary one being privacy risk. In a European context, particularly under GDPR, 'privacy' is an interesting word. If you search for it in the GDPR text, you’ll actually find just one reference, and that’s in relation to the ePrivacy Directive, if I’m remembering correctly. Yet, in our day-to-day work, we see 'privacy' and 'data protection' used almost interchangeably.

But when you dig into the definitions of 'privacy risk,' things get even more confusing. There’s a lot of inconsistency. Take, for example, the definition from the IAPP, probably the largest global privacy organisation in the world.

Here’s their definition:
"A formula to calculate the impact of a new project on the privacy of the consumer base that will use the new systems; to evaluate the risk, one must consider the likelihood of the threat occurring multiplied by the potential impact if the threat occurs."

They even acknowledge that it may be hard to quantify, so they suggest comparing projects as a way to understand privacy risk. Now, I’ll let you make up your own mind about how helpful that is. Personally, I don’t find it very clear or useful.

Then there’s the NIST (National Institute of Standards and Technology) definition:
"The likelihood that individuals will experience problems resulting from data processing and the impact should they occur."

Again, this is quite high-level and vague. What exactly do we mean by 'experiencing problems'? And what are those problems? This leaves a lot open to interpretation.

I think this lack of a clear, consistent definition of 'privacy risk' is a real issue in our industry. We throw the term around, but we don’t always fully understand what it means or have a concrete way to measure it.

Data protection laws start with human rights (in Europe at least)
Open your copy of the GDPR and it's there in Art 1(2): This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

So at its heart, we need to pay close attention to risks to the rights and freedoms of individuals. This is our non-negotiable starting point. Now you may have come across some data protection leaders whose primary focus is to protecting the interests of their company without mentioning rights and freedoms, which is also important and often drives the compliance-based approach to data protection, often on a minimal level.

You may see similar focus from your local supervisory authority where emphasis is given to articles and requirements (the what) with little help with the how to. From a risk perspective, one exception is the UK ICO who published a helpful cause-event-harm model and various materials including examples e.g. linking a failure (poor security) to an event (breach) to individual harm (anxiety, financial loss). It's well worth seeking out that document. The CNIL are also quite advanced with their PIA tool and substantial documentation.

So in the above ICO example, the security failure is the first domino to fall. But what happens after it falls? Focusing only here is like reporting on an earthquake's epicentre without mentioning the resulting tsunami.

Ripple Effects: How one data protection failure creates waves across the business
This is the central argument of this post. A single data protection event triggers a chain reaction of consequences across multiple risk domains, aka ripple effects.

Although the diagram above may at first appear confusing, let me walk you through an example scenario.

Trigger: A processing violation, a data breach, or a customer complaint

• First ripple (compliance risks): This is the obvious one.

  • Consequences: Supervisory authority attention and potential investigation.

• Second ripple (business risks): fines or penalties, customer churn, loss of business, expend resources

  • Consequences: financial losses

• Third ripple (legal risks): lawsuits, vendor disputes

  • Consequences: litigation and/or breach of contract

• Forth ripple (operational risks): ban or suspension of data processing, poor quality data

  • Consequences: business process disruption, processing errors

• Fifth ripple (reputational risks): media attention, customer complaints

  • Consequences: Erosion of trust, brand or reputational damage, strained partner relationships.

In reality, there will be a multitude of scenarios to map that are unique to your business and influenced by various factors not least your risk appetite, risk tolerances, all of which must be documented in your risk policy.

Stop saying "High Risk" and start saying "€5M in potential lost revenue."
The reason data protection is often siloed is because its data protection leaders and their teams don't speak the language of the business. Instead, they expect the rest of the company to understand their world of articles, recitals and RoPAs. Mastering risk management also involves addressing common challenges in risk measurement and communication. Here are a few I've come across during initial client investigations along with my normal recommendations:

Stop the subjective measurement: Challenge the vague "low, medium, high" heat maps. They lack credibility and are easily dismissed. They may look pretty but they are are weak and almost meaningless in many ways. Bias often creeps in, risks are exaggerated and nobody can really truly measure what's at stake.

Stop treating symptoms: Explain that a risk register listing "outdated RoPA" is tracking an issue, not a risk. The risk is the operational disruption or regulatory fine that results from it. To address something like this you need to perform root cause analysis on the issue itself - there are many reasons why a RoPA becomes outdated and this will be addressed in a future blog post!

Communicate in business terms: Emphasise the need to translate risk into concrete business impacts. Instead of "high risk," frame it as "a 10% increase in customer churn" or "a potential contract breach with our largest shipping partner."

The power of data-driven budgets: when quantifying risk, use publicly available historical data (e.g., GDPR enforcement trackers, GDPRhub, etc) to build realistic, scenario-based financial models for risk. Do not rely on gut feelings.

To conclude, effective data protection is about safeguarding the entire company and multiple groups of people who interact with it (employees, consumers, partners, students, patients, etc., depending on your business context). It isn't only about avoiding fines. Risks to individuals is the moral and legal starting point, but the ripple effects are what demonstrates the full business impact. Here are a three things you can action immediately:

1. Map your own ripples: take a recent data protection issue and map its potential consequences across various domains (e.g. operational, reputational, or financial). Present this to your boss, or key stakeholder in the business to get their reaction

2. Learn their language: get out and about in your company to build relationships with different teams to understand the company's broader risk appetite and key business objectives. Digital marketing, HR or product development are always great starting points

3. Quantify: move towards data-driven, scenario-based risk assessments that speak the language of your company's operating currency and business objectives.

When you can show your key stakeholders how awkward legal wording in a privacy notice could ultimately impact shareholder value, you cease to be the necessary evil and may start to be perceived as an indispensable strategic advisor!

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.