Four hundred and fifty years after the birth of Shakespeare, in a comfortably modern room overlooking the Museum of London, the conversation at the IAPP Europe Data Protection Intensive on Tuesday started with the not-so-obvious connection between Hamlet and Paypal. It turns out the Bard of Avon’s longest play has fewer words than Paypal’s privacy notice.

“That’s the basis of much of the privacy world,” said Richard Thomas, adding, “This creates a world of liars.”

Thomas, former UK information commissioner from 2002-2009 and current global strategy advisor for Hunton & Williams’ Centre for Information Policy Leadership, listed several companies that have cheekily placed conditions in their privacy notices to demonstrate that consumers simply do not read them. One example included the Mephistophelian condition of agreeing to give up one’s immortal soul.

More than 7,000 customers unknowingly did so.

This “bureaucracy of data protection” is something Thomas, and a panel of experts at the Data Protection Intensive, argued needs to be eliminated. The solution? Well, according to Thomas, there’s no one, single solution, but a risk-based approach is the needed step in the right direction.

So what is the risk-based approach exactly?

Panelists at the breakout session "Exploring a Risk-based Approach to Privacy," at the IAPP 2014 Europe Data Protection Intensive in London.

“Consensus is still emerging,” Thomas conceded. “None of us yet have the fine-tuned answers. I’m not sharing settled thinking.”

There are some demonstrable trends, however, brought on by several privacy regulators. The French data protection authority, the CNIL, has published a Methodology for Privacy Risk Management, while the UK Information Commissioner’s Office has issued a code of practice for conducting privacy impact assessments (PIAs) and commissioned a research study on PIAs and risk management.

More recently, the Article 29 Working Party issued a new opinion on legitimate interests of the data controller. In the past, various European jurisdictions have shied away from the legitimate interest conversation, while regulators refused to encourage it, said Hunton & Williams Partner Bridget C. Treacy. “Read this opinion,” she added, “it really is talking about risk and about balancing your organization’s rights to process data against an individual’s right to privacy.”

The risk-based approach “helps us understand how to work through and calibrate how principles will apply in context,” Treacy said, but warned, “this is not a substitute for legal compliance.” This approach can help organizations decide how to prioritize risks, determine and allocate budgets and make good decisions on the kinds of issues on which they need to focus.

What, exactly, is the risk-based approach trying to achieve?

At the end of the day, are you able to document your risk assessment? Break it down. For example, if we don’t obtain consent, what will happen? Tell me.

Louise Thorpe

Louise Thorpe, vice president, global privacy at American Express, gave business-world examples of the risk-based approach in practice. She said planning for risk management might often depend on how your organization manages operational risk.

For Thorpe, there are three lines of defense. This first line comprises those who come across risks first, which could include customer service representatives, for example. Expecting your privacy team to identify all the risks is unreasonable, so training and communicating to employees across the organization potential risks will help in identification. The second line is the privacy office, compliance team and/or risk oversight function, and the third is the internal audit team.

Once a risk has been identified, asks Thorpe, what type of risk is it? Does it pose immediate or long-term risk? Is it internal or external? A one-off or recurring risk? From there, be prepared to articulate the identified risk. “This is often overlooked,” said Thorpe. “At the end of the day, are you able to document your risk assessment? Break it down. For example, if we don’t obtain consent, what will happen? Tell me.”

She also stressed the importance of identifying “risk outliers” or worst-case scenarios. Regulators and the media often look at the worst-case scenarios, so having an articulated report is essential.

Thomas recommends using a matrix with threats on one axis and harms on another. How likely and how serious is each component? He then breaks harms up into three categories: tangible harm, intangible distress and societal harm. Likewise, threats include inappropriate use and data in the wrong hands, whether stolen data or data that’s unjustifiably accessed or shared. Then, once the risks are laid out, what are the benefits created by collecting that data? Can they be demonstrated? What, if any, are the benefits to the individual? Can they be identified, articulated or justified? All are significant questions privacy teams should be asking as they assess products and services in a risk-based approach.

Yet, as harms move away from tangibility toward more ephemeral concepts such as potential secondary use or perceived creepiness, demonstration of harm becomes more subjective. Thomas said that “just because some areas are difficult, doesn’t mean you shouldn’t try,” adding, “you can’t have a completely scientific, objectifiable approach” in the risk-based model.

Critics, however, often contend that the risk-based approach sacrifices the will of the individual to the ethics of an organization. Accountability takes center stage, while notice and consent get the hook.

In a recent post for Privacy Perspectives, privacy expert Stuart Shapiro, CIPP/US, warned of the risk of the risk-based approach, writing, “as the narrative goes, since notice and consent don’t work very well as is, and will work less well in the brave new world of Big Data and the Internet of Things … we (the enterprise) will take over most of the responsibility for your privacy.” Shapiro opines that one privacy model—the one based on the Fair Information Privacy Practices—is being exchanged for another.

“We need to augment our existing risk models,” Shapiro argued, “to reflect the increased responsibility of enterprises rather than using poor execution as an excuse to undermine a model that might cramp the style of Bid Data masters of the universe.”

But, for Thomson Reuters VP and Senior Privacy Officer Nicola McKilligan, CIPP/E, the risk-based approach is about a focused approach.

Assess what products or services pose the greatest risk and scrutinize those the most. Have a quick turnaround for any data requests or consumer complaints. “For example,” she said, “organizations spend too much time crafting privacy policies—which ultimately do not prevent privacy harm—instead of preventing truly harmful outcomes.”

Though the risk-based approach may be unsettled, Thomas noted, it is a proactive attempt that includes—but goes beyond—mere compliance.

Ah, but if only Shakespeare crafted the modern privacy notice … in sonnet form, of course.

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»