What is a data protection risk?
A simple primer on data protection risk management
A risk generally refers to the exploitation of a vulnerability which leads to an event with some sort of negative impact and that has a certain likelihood of taking place.
Accordingly, a data protection risk refers to the exploitation of a vulnerability which leads to an event that negatively impacts the protection of a data subjects' personal data and has a certain likelihood of taking place.
With this definition, a data protection risk can be broken down into the following parts:
Threat. The actor and the processing activity they could undertake.
Vulnerability. The means that could be used by the actor to obtain the data needed for the processing activity.
Event. The opportunity for the actor to collect the data for the processing activity.
Consequence. The ramifications of the actor carrying out the processing activity, in particular for the data subject.
The below table sets out the risk of the personal data of social media users being used for AI model training:
Data protection risks can be measured in terms of the severity of their impact and the likelihood of taking place. The definition and measurement of data protection risks arising from a processing operation form the basis data protection risk management.
The measures put in place to address the identified risks (which could mitigate or eliminate the risks when implemented) depend on the nature of those risks. Those measures could be administrative (e.g., policies), technical (e.g., encryption) or physical (e.g., locked filing cabinets).
Continuous monitoring is also required for effective risk management. This is to track how risks change over time to make the necessary corresponding changes to the measures implemented.