Privacy Risk Assessment

March 24, 2020 - Ensighten

Why privacy risk assessment is vital to ensuring regulatory compliance – and will extend to your website security

Data privacy is one of the most fiercely debated topics today between business leaders, technology companies, governments and individuals. Fuelled by the introduction of strict data protection regulations across the world, such as the California Consumer Privacy Act (CCPA) and the GDPR (General Data Protection Regulation), it is incumbent on organizations to ensure the privacy of the data they process – or face weighty consequences.

A 2019 survey by Gartner noted that 64 percent of senior executives said “accelerating privacy regulation” was the top emerging risk their organizations face, with privacy regulation concerns most prevalent among professionals in banking, financial services, and technology and telecommunications industries.

Despite this, there are daily reports of data leaks or exposure from within organizations that thought they had the right data protection measures in place. Indeed, 2019 was labelled the “worst year on record” for data breach activity.

Here we examine the importance of privacy risk assessments, which are also known as data protection impact assessments (DPIA) or privacy impact assessments (PIA), to ensure you accurately measure and manage the risk to your customers and keep your organization compliant with global data protection regulations.

 

Why do I need to undertake a privacy risk assessment?

Data is the lifeblood for every organization. But if your business is one that collects sensitive and personal customer data – to build marketing campaigns, improve the customer experience or for payment purposes, for example – how you manage, store and secure that data will be essential to maintaining your regulatory compliance. But that does not just mean protecting your organization from data breaches and cyberattacks; it also requires respecting data subjects’ privacy.

Personal data always needs to be kept secure as vulnerabilities in the flow of data lead to the risk of breaching customers’ personally identifiable information (PII). The data in question could be usernames, location data, online identifiers like IP address or cookies, or passwords.

Despite the headlines, you do not even have to be subject to a cyberattack – under the regulations, a breach can include the accidental or unlawful destruction, loss or disclosure of personal data.

This applies to data whether it is saved on a database, as a hard copy or being transferred to or from third parties. Each area has its own risks, but the OWASP Top 10 Privacy Risks Project lists website vulnerabilities, including injection flaws (which allow attackers to copy or manipulate data) and sensitive data exposure (which allows attackers to gather sensitive information) as the biggest risk to data privacy.

Any organization that is required to comply with the CCPA or GDPR must conduct regular privacy risk assessments. The ability to ensure confidentiality, integrity, availability and resilience will be crucial – as will be restoring data in a timely manner in the event of an incident. You will also need to demonstrate you have taken adequate steps to protect the data in your care in the event of a breach or leakage.

 

What does a privacy risk assessment involve?

A privacy risk assessment is typically designed with three main goals in mind:

  • Ensure conformance with applicable legal, regulatory and policy requirements for privacy
  • Identify and evaluate the risks of privacy breaches or other incidents and effects
  • Identify appropriate privacy controls to mitigate unacceptable risks

 

How do you conduct a privacy risk assessment or PIA? Data protection regulations like the CCPA or GDPR do not prescribe specific data protection technologies, and there is no such thing as an official risk assessment template, but rather processes that organizations should undertake.

“Risk identification needs to be part of the process, as well as a systems design. Privacy by design and by default is all about identifying privacy risk and making sure a risk-based approach guides you through the entire lifecycle of data,” notes the International Association of Privacy Professionals (IAPP).

  

Benefits of privacy risk assessments

According to the IAPP, undertaking privacy risk assessments have multiple benefits for your organization:

  • Provides an early warning system – a way to detect privacy problems, build safeguards before, not after, heavy investment and to fix privacy problems sooner rather than later
  • Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)
  • Enhances informed decision-making
  • Helps the organization gain the public’s trust and confidence
  • Demonstrates to employees, contractors, customers and citizens that the organization takes privacy seriously

 

Many of these benefits focus on how undertaking privacy risk assessments can help circumvent the costly and embarrassing effects of a data breach.

For example, the average cost of a data breach is now $3.92 million, with the biggest contributor to costs being lost business. The effects of data leakage can also be felt for years. According to 2019 figures, 67 percent of data breach costs were realized within the first year after a breach, but 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach.

There is also the reputational damage and diminished goodwill that organizations will suffer – once an organization has lost the trust of its customers, it is difficult to win it back. Data breaches caused abnormal customer turnover of 3.9 percent in 2019 and 64 percent of consumers say they are unlikely to do business with a company where their financial or sensitive data was stolen.

 

Risk assessment for your website

As we mentioned earlier, it is critical to conduct privacy risk assessments wherever data flows throughout your organization. Importantly this includes your website too, an area that despite being a goldmine for customer PII (and subsequently a prime target for hackers) is often overlooked.

The fact is your website is exposed to hundreds of threats in the form of malicious JavaScript code injections, unsolicited advertising, digital skimming and third-party vulnerabilities, as well as accidental data leakage or non-compliance to strict data protection regulations.

This is compounded as data leakage can often occur at the client side of the website, so it is more difficult to see what is going on until it is too late.

To combat this, you need a real-time view of your digital data supply chain: all the technologies running on your digital properties. Essentially, you are performing a full privacy risk assessment as web pages are loaded.

You should know what code is running on your website – whether it is your own or from a known or unknown third party – and have the ability to control and limit the who has access to what data they collect and share to prevent data leakage.

If you are unsure as to the security posture of your website or you think you may be vulnerable to attack, ask yourself these three questions:

  • Who is responsible for website security in my organization?
  • How many third-party technologies do I have on my website? And what exactly do they do?
  • Are there any security checks in place to ensure third-party technologies do not capture or pass on sensitive information?

 

As part of a layered approach to data protection, you should conduct an audit or assessment and seek help to rectify any vulnerabilities. Best practice should be based on a combination of observation, defence and protection. For example:

  • Performing a regular site scan to see just what is running on the site, which includes testing any new updates to detect any suspicious behaviour
  • Observing and monitoring site traffic in real time with real user activity to help identify any suspicious patterns so you can act before any damage can be done
  • Allowing trusted third-party services – creating an allowlist and a blocklist allows you to only share data with trusted vendors

 

With a real-time website security strategy and enforcement tools such as Ensighten’s MarSec™ solution, you can prevent website data leakage and unauthorized sharing of PII while complying with the CCPA and other data privacy regulations.

“As attackers focus more on the client side, organizations must consider the impact of script and browser vulnerabilities more broadly. Work the above scenarios into your threat modelling and think about how to best protect your customers and their experiences with your site,” notes analyst Forrester.

Get in touch with Ensighten to find out more about how to protect your website from data leakage or theft while complying with global data privacy legislation.