Rather than all of a sudden finding yourself in a bad situation, it’s better to see it coming (when possible). Key Risk Indicators (KRI) help with that. Key Risk Indicators are used for measuring the likelihood of something happening and will tell you if that consequence will exceed the organization’s risk appetite. These measurements can be shown as percentages, currency, numbers, values, etc.
As mentioned, Key Risk Indicators will tell you if the activity you're planning on doing, or if the appending risk is higher than your risk appetite. So, it makes sense that you first need to know what your risk appetite is (or should be under the GDPR) before you can tell that you've crossed the line.
Well, that’s not for me to say but here’s what I can say: as a general rule, you should never exceed what you can’t afford to lose. But not everybody will agree with that. And it also depends on your situation I suppose. For organizations where Time to Market is competitive, they’d be more likely to have a high-risk appetite than for instance an organization that lives off of reputation and long-term commitment who would most likely take less chances and therefor has a lower risk appetite. But, as a side note, we all remember the banking crisis...they spent money they didn't have and mostly the innocent parties got hurt. Let's try to avoid that, shall we.
There are many many variables, but to keep it simple I'm showing 3 distinctive risk appetites: low, average and high risk appetites. The colors in the matrices are:
Low Risk Appetite: When an organization would rather not take a lot of risk they tend to set their boundaries very strict and they'd rather play it safe. You'll tend to see more red and amber, meaning that certain actions will very quickly be considered risky.
Average risk appetite: the word 'average' is key. This would be considered most common for most organizations.
High risk appetite: You'll notice that there's a lot of green a.k.a. low risk zones. This means that this organization allows risks to have an extreme impact when it has an unlikely probability. Unlikely still means it can happen, keep that in mind. You could also say, they're taking a calculated risk. They're willing to have moderate impact when the probability of the risk occurring is occasional. Now that's significant, don't you think?
The GDPR has something to say about this too. The GDPR requires organizations to be able to measure risks by using such matrices as above to determine if a risk is high or not. Now keep in mind that although an organization may be willing to risk a lot when it comes down to their own reputation, the GDPR won't allow such high risks when it affects data subjects. The risk appetite of a personal data processing activity would look something like this:
If your assessment shows that you're in the red zone, under the GDPR you must conduct a DPIA - Data Protection Impact Assessment. To learn more about that, sign up for the 60 Day Privacy & Risk Challenge, where you'll learn when to conduct a DPIA and we'll practice writing a few too or contact me to help you conduct a Data Protection Impact Assessment: //email@example.com" rel="noopener nofollow" target="_blank">
We call this your risk response. There are a few things you can do:
Sign up for the 60 Day Privacy & Risk Challenge, starts on February 3rd 2020.