Most data protection laws require some sort of privacy and/or data protection risk assessment before handling any personal data.
However, the scope and depth of these assessments are often debated and there are as many versions as there are GRC-professionals.
Having looked at most data protection laws globally, it is possible to bundle the required elements at some meta level (nothing mind-blowing).
The Method
The assessments are often based on a default risk catalogue or some standard. This is great for ensuring a consistent method, however it does not impose much creativity or new perspectives.
Often, the ex-ante assessment does not reflect the ex-post reality and tend to create repetitive assessments. Therefore, randomly picking risk scenarios forces some sort of new ways of identifying and talking about risks.
By mixing the default risk categories for both security and privacy with some “light-gambling”, the assessor has to use their creativity to imagine what could happen and draft the risk scenario.
There is no point in explaining why gambling methods works, so combing the classic slot machine with a bit of framing and IKEA effect helps the assessor in their efforts to make proper risk assessments.
The Framework
The commonalities in most of the regulations are that you have to identify potential Internal or External threats/threat actors, which is the first distinction to classify the “Who” of the risk
Another key aspect is the intention or action of the threat actor, which can be Intentional, Accidental, Unlawful, or Unauthorized. This distinction helps to classify the “Why” and “How” of the risk.
Then it is ideal to classify what risk domain it relates to, which often is Confidentiality, Integrity, Availability, or Data Protection (some like to call it “Privacy”). This distinction is important for the “What” of the risk.
The last part would the classifying the subset of the risk domains, such as for Availability it could be theft, loss, destruction, or unaccessible. Similar subsets would be relevant for the other domains.
The last part would be to add the likelihood and impact to risks, and then you have a risk assessment. This does not include the harm or impact to the individual or organization, but for inspiration I would recommend ISO 27557, ISO 27005, ISO 29134, and Solve’s taxonomy.
The Privacy Risk Game
The game works as a slot machine, which randomly generates a risk based on the framework. I have also added some example probabilities based on breach statistics from the Danish Data Protection Authority (just an example).
When the slot machine stops, the assessor defines a realistic risk scenario based on the values, which is used as a guiding tool. Estimate of likelihood and impact can be done afterwards based on the risk methodology of the organization.
Enable Probabilities
Threat
Action
Domain
Event
Example 1: There is a risk that management (Internal) decides to use customer data (Intentional) to train an AI model (Privacy, Misuse)
Example 2: There is a risk that a vendor (External) forgets to do proper change management (Accidental), which causes the software to be unavailable to our customers (Availability, Unaccessible)
Example 3: There is a risk that an employee (Internal) looks up patients (Intentional) and share the data with an insurance company (Confidentiality, Disclosure)