Okay in a conversation I was having last week about the new EU and UK data protection regulations and legislation, someone said to me; “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”?
Good question I thought... And could only come back to something I believe to be the core foundation stone for anything related to whatever sexy label you want to put on it - The application of sound Information Risk Management (IRM) techniques are central to ensuring all aspects of keeping information safe, whether that be any one or a combination of vectors related to the people, process and technological aspect of collecting, using, communicating or storing information in any form. Without this, you simply will never be as secure as you should be.
Oh yes, and I hear you say… there’s no such thing as 100% security. Whatever percentages you care to bandy about, the highest levels will only be achievable if you use IRM techniques to understand the risks you face and identify the most appropriate, affordable and accreditable secure solution.
Understand what value your information has to you. Every bit of information your business holds falls into at least three categories, highly sensitive, confidential or public and as a result has a value that can have both positive or a negative financial impact on the business. It is therefore important that you understand what the “value at risk” is to the business should you find that information has been compromised – stolen or no longer available to you.
There is always a direct and indirect value at risk. Actual cost impacts and consequential or collateral cost impacts. Understanding these costs informs your decisions on risk reduction controls, which may be “organisational” or “technological”. More importantly, this knowledge with make sure you don’t spend too much time, effort and cash on inappropriate “all singing and dancing” bits of technology, when simple people, process and procedural controls will be sufficient – and of course the opposite.
So, to answer the direct question, “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”. Simples… use a good information risk management technique, like the H2 methodology and you will have succeeded in meeting the requirements of the DPA 2018 and GDPR in terms of both Privacy by Design and Default and taking a Risk Based Approach to data protection.
We at H2 have a great deal of experience in helping companies understand that Value at Risk. We would be delighted to discuss our methods with you and even demonstrate how we conduct our IRM reviews.