Risk assessments in Privacy Management
Summarize
Summary of Risk assessments in Privacy Management
In Privacy Management, risk assessments enable your organization to evaluate the risk scores of data processing activities, helping you understand and manage your overall privacy risk posture. These assessments include criticality assessments to prioritize processing activities and detailed privacy risk assessments for high-risk activities.
Show less
Criticality Assessments
Criticality assessments determine the initial risk level of a processing activity, allowing your privacy team to prioritize activities based on their potential impact. For example, they identify whether personal data processing influences key decisions or autonomous decision-making.
There are two ways to perform criticality assessments:
- Manual criticality assessment: Privacy managers can manually trigger an assessment from the processing activity interface. The system calculates the criticality score using current data entered in the processing activity form and regulatory details. This calculation can be repeated anytime to reflect updated information.
- Automated criticality assessment: This method uses a predefined Risk Assessment Methodology (RAM) focused on automated criticality factors. Privacy managers must publish the RAM before use. During screening assessments, users answer questions related to criticality, and the system automatically calculates and displays the criticality score. Note that only two RAMs can be active simultaneously, and deactivating a RAM cancels any in-progress assessments linked to it.
Privacy Risk Assessments
When a processing activity has a high criticality score, detailed privacy risk assessments are conducted. These evaluate individual risks associated with the activity and aggregate the results to give an overall risk score. The privacy risk posture is then visualized on a risk heatmap available on the processing activity’s overview page, showing inherent and residual risks.
Risk Heatmap and Scores
The risk assessment results along with heatmaps are displayed on the processing activity’s home page. These visual tools provide detailed insights into your privacy risk levels, supporting informed decision-making.
Risk Assessment Methodology (RAM) and Configurations
RAM provides a structured and repeatable process to identify, evaluate, and mitigate privacy risks in data processing. Two default RAMs are included for performing criticality and privacy risk assessments. Proper configuration and management of these RAMs ensure effective and consistent assessment practices.
You can perform risk assessments on your processing activities to determine their risk scores and find out the privacy risk posture of your organization.
To understand the risk posture, the following assessments are performed.
Criticality assessments
A criticality assessment uses risk assessment to determine the initial risk level of a processing activity. Using the resulting criticality score, the privacy team can prioritize or deprioritize the activity accordingly. An example of a criticality factor could be that the assessment questions help identify whether personal data is being processed in a way that influences key decisions or enables impactful autonomous decision making.
- Manual criticality assessment
- Using the manual method, as a privacy manager initiates the criticality assessment from a processing activity. If you're already working on a processing activity and want to assess its criticality, you can manually trigger this assessment using the Assess criticality action in the user interface. When you trigger the criticality assessment, the system automatically calculates the criticality score based on the information already available in the fields of the processing activity form. On the Regulatory details tab of a processing activity, you can provide the risk-related details. After entering this information, triggering the criticality assessment uses these values to calculate the risk score. The system can calculate the criticality score multiple times if triggered manually. Each time, it uses the most recent data entered in the processing activity fields and regulatory details.
- Automated criticality assessment
- Using the automated method, the privacy manager uses the Automated criticality factors risk assessment methodology (RAM) that is provided by default to calculate the criticality score of a processing activity. The privacy managers must publish this RAM before it can be used. By default, the RAM is provided in the Draft state. When a user performs a screening assessment, they are prompted to respond to several questions, including those related to criticality and risk assessment. If the user provides answers to these criticality-related questions during the screening assessment, the system automatically calculates the criticality risk score. The calculated score is then displayed on the Overview page when the user proceeds to the processing activity. Because only two RAMs are supported at a time, they must deactivate any other existing criticality factors RAM. It is crucial to note that when an existing criticality factors RAM is deactivated, all the in-progress risk assessments associated with that RAM get canceled.
Privacy risk assessments
Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing
activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap in the overview section. The heatmaps provide detailed information about your inherent and residual risks. See the following
image to understand how you can initiate the detailed risk assessment.
Risk heatmap scores
The risk assessments results and the risk heatmaps appear on the processing activity home page as shown in the following image.
To understand the details about how to perform the risk assessments, see Privacy assessment configurations.