GDPR Risk Assessment Report

Risk management for one of the most important privacy regulations of our time.

Primary Users

Chief Data Officer, Data Steward

Key Goals Addressed

Assess regulatory risk, facilitation with risk assessment, being aware of bottlenecks related to sensitive data elements.

Background/ Challenge/ Brief

The GDPR (General Data Protection Regulation) – a comprehensive and powerful law – has been announced a couple of years back and is coming into effect in May 2018. A large number of firms which process people’s data are governed by this regulation and need to assess their risk so that they can mitigate it.

Risk assessment is the first step towards risk mitigation and achieving compliance. We asked the basic ‘what’, ‘where’ and ‘who’ questions about the risk firms are at. What is the scope of entities for which we have a risk assessment? Where are the entities which are causing the risk? Who are the stakeholders, upstream and downstream from a firm? How might we make the risk assessment process more inclusive and transparent to take feedback from all stakeholders?

One of the questions a Chief Data Officer may want information on is – how much of my landscape has been scanned or verified by a human or certified by a regulator. Beyond the entire landscape, the same question can be asked for a particular physical entity including a database or a logical entity like a line of business. Further, while individual data elements may not pose risk, combinations of sensitive data elements do pose a risk. Hence, getting insight into numbers of connected elements and where many such records exist help identify high-risk areas. It would also be desirable to see how the risk is (hopefully) reducing over time.

Let’s look at it from a different vantage point – the data steward – a person responsible for handling data in an org at the grass root level. They want to know for a given entity like an application, database, schema or table – what is the relevance from a risk perspective and how sensitive are the data elements within them. How far has an entity been connected to, curated or has achieved compliance? Are there any bottlenecks in the process which they need to resolve?

View More on InVision

Explore Other Work