IAPP-GDPR Web Banners-300x250-FINAL

By Deidre Rodriguez, CIPP/US

“Perform a risk assessment.” We have all heard this called out as a best practice. But sometimes it is difficult to know where and how to start. How do you begin to develop a risk assessment for your organization?

Start by doing some high-level brainstorming about the company’s risks and who your stakeholders are:

  • Who are your customers?
  • Which business areas interact directly with those customers or their data?
  • What laws and regulations apply to your industry and company? Who has oversight over those laws and regulations?
  • Which business areas are interacting directly with regulators? Who are your competitors and what are they doing regarding innovation, regarding overall direction of the industry and regarding privacy?
  • What issues have you previously experienced or seen? Where has the company had issues or risk?
  • What keeps you up at night?
  • What keeps your C-Suite up at night?
  • What is likely to land the company on the front of a newspaper?

This brainstorming will help jumpstart the process of what areas you need to talk to later on in your risk-assessment process. Jot down all of your thoughts, concerns and put them all on paper. When you are answering these questions, make sure that you consider past, present, as well as future states.

Evaluate the maturity of your privacy program. There are several maturity models in the privacy industry that can be used to assess your maturity, or you can develop your own. Take a look at the work that you perform as a privacy office day to day. Write down all of those activities, policies and procedures, training, advisory services, etc. Rank each item on a scale based on its maturity. A mature program has processes documented, implemented, measured/monitored and improved upon based on the results of that monitoring. Make sure to include those areas where you were least mature on your risk assessment, and document the desired future state. Consider one-year, two-year and three-year stages of improvement. This will help to continually improve and mature your program.

Look for business areas at risk, talk to their leadership about those risks. During your brainstorming in the first step towards your risk assessment, you identified several leaders that have an impact on customers and customer data, areas that deal with or talk to regulators. Make sure that you reach out to each of the areas that you identified, also think about other areas that may be able to add value in this process and reach out to their leadership as well. Partnering with your compliance area, risk-management area and internal audit as you are doing these interviews may prove to be very beneficial. Each of these areas plays a significant role in the company that may help your cause, especially when you are identifying mitigating controls and then testing those controls going forward.

Use a risk-ranking model that is specific to your business. Score each risk on a scale of one to five, one being the lowest. Give a risk score to each question below and then average the score for each item that is listed on your risk analysis. Consider the likelihood of risk occurring:

  • Would customers be impacted?
  • Would a high volume of business areas be impacted?
  • Is there a potential for lost business?;
  • Is there a potential for regulatory scrutiny?;
  • Is there a potential for fines and penalties?;
  • Is there potential for media publicity, is there potential for damage to reputation/loss of trust?

Think about additional questions that you need to add to your risk-ranking model to make it work for your business.

Consider having an external evaluation of your program. Many times, outsiders can bring a new perspective and see risks that we ourselves cannot see because we are down in the weeds. Having an external evaluation of your overall program including your risk-assessment and risk-assessment processes can strengthen your program. Often times, having an external review of your program gives customers and regulators more confidence in a program because it has been vetted by external parties.

For each item listed on your risk assessment, apply a compensating control. Often you will need to identify interim/short-term controls that will eventually feed into a longer-term vision of how the risk should be mitigated. The work necessary to implement the compensating controls must be included in your work plan. Make sure that you document progress, milestones and completion to show the progress that you have made.

Make your risk assessment live and breathe. Performing a risk assessment is not a once-a-year activity. It is something that will grow and change, that will continually be under revision and refinement. For instance, as you develop training, communications, awareness, and tools/resources, use your risk assessment as your guide. The majority of the activities that you do will tie back to your risk assessment.

Deidre Rodriguez, CIPP/US, has actively been working in privacy compliance for 10 years, including policy development, incident response, advisory support and strategic planning. Currently, Deidre is the director of the Corporate Privacy Office and Regulatory Oversight for WellPoint, Inc.

Read more by Deidre Rodriguez:
10 Steps to a Quality Privacy Program: Part One
Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»