Frustrated man

Managing risk

Top 3 data protection program issues and how to start resolving them: #27

Risk management must be at the heart of any data protection programme.

It must be living and breathing.

It’s an accountability mechanism that generates evidence.

If you don’t have one, or you do and it’s ineffective, you’ll struggle to demonstrate to a regulator that you’re in control.

Here are some common issues we encounter.

#1 All mixed up

Operational risk, legal risk, compliance risk, reputational risk, project or programme risk, information security risk, information risk, data protection risk, etc.

We need to know what these terms mean, the processes needed to manage them, and the triggers or interlocks that may exist between them in a given context.

It’s complex and anyone involved in the risk life cycle needs to understand the differences.

Education is key, especially for senior management who make critical decisions that can make or break your work.

Using the correct framework is equally important.

For example, you’ll struggle to identify risks to the rights and freedoms of individuals if you rely purely on a security risk framework.

If you are new to data protection, a good starting point is to gen up on what ‘risk-based approach’ actually means.

The old WP29 issued a statement about this in 2014 - look it up.

It may surprise you.

#2 You own everything!

Roles and responsibilities around risk are also critical.

Too many data protection practitioners end up owning risks that they have no knowledge, power or influence over.

Risk management requires delegation and people taking responsibility.

For example, if a risk is identified in relation to the use of a piece of tech, we need to hone in on the most appropriate individual associated with the technology, or the process it may support.

The same can be said for deploying deceptive design (dark) patterns in a user interface.

As DP pros, we need to ensure the risk management system is in place, and woven into the fabric of the company.

Don’t own risks that you have no influence over.

#3 Dusty registers

This issue is common to all kinds of risk.

Often you’ll find wonderfully crafted *initial* risk registers.

And that’s it.


No updates.

Lots of valid ideas about risk treatment.

No estimates.

No approvals.

No plans.

No implementation.

No value.

Not in control.

At Purpose and Means, we do things differently.

The data protection experience for employees and management is what we focus on.

We build passion and interest in data protection through highly visual, creative approaches.

Data protection is complex, and to bring it alive, make it actionable from top to bottom requires an approach your average copy/paste consultancy doesn’t provide.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
May 2, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements