Home – Do you need to conduct a data privacy risk assessment?

Do you need to conduct a data privacy risk assessment?

Posted on 03-13-2019 by Lisa Thompson

 March 15 is World Consumer Rights Day, and this year’s theme is ‘Trust in Smart Devices.’ Innumerable devices populate the digital landscape—from wristbands that track every step taken to smartphones that instantly connect users with family, friends and brands. And with every connection, data is generated and collected. But being entrusted with private data demands a proactive risk management strategy

Why data privacy should be part of your risk mitigation program

Consider the cost of data breaches.

Each year, the Ponemon Institute conducts benchmark research into the cost of data breaches. This year's edition—lucky number 13, if you’re counting—saw increases in both the global average cost of a data breach and the average cost for each lost or stolen record containing sensitive information.

Sure, $148 doesn’t sound like a big deal, but when you look at notable data breaches in 2018, the potential financial risk becomes crystal clear. Take the hacking of Marriott Starwood Hotels reservation database, which exposed personal information including passport numbers and credit card details for 5 million customers. That’s a hefty $740 million price tag. According to Digital Information World, other notable data breaches of 2018 included:

Financial risk related to data breaches isn’t only tied to the size of the breach, either. In terms of volume, the Facebook and Cambridge Analytica data breaches weren’t the largest, but the loss of trust by consumers and investors came at a high price. 

In May 2018, enforcement of the European Union’s long-anticipated General Data Protection Rules (GDPR) came into effect. Companies don’t need to have operations in the EU to be subject to GDPR. Large or small, multinational or regional—if your company has a website that can be visited by EU citizens, then GDPR is definitely a potential compliance risk. We’ve created a quick factsheet on GDPR for details. 

The U.S. does not currently have an equivalent, comprehensive federal law regulating data privacy and security, however there are a number of sector-focused laws that address consumer data. 

  • The Federal Trade Commission Act (FTC Act) applies its consumer protections to offline and online privacy and data security policies.
  • Children's Online Privacy Protection Act applies to the online collection of information from children.
  • The Financial Services Modernization Act (also known as Gramm-Leach-Bliley Act) regulates the collection, use and disclosure of financial information.
  • The Health Insurance Portability and Accountability Act (HIPAA) broadly applies to health care providers, data processors, pharmacies and other entities that come into contact with private medical information.
  • The Telephone Consumer Protection Act regulates the collection and use of e-mail addresses and telephone numbers, respectively.

And since the Facebook/Cambridge Analytica brouhaha caught the attention of U.S. legislators, it’s not a stretch to think that Congress will eventually tackle the issue of data privacy and security on a national level.

Why not establish a robust process for ensuring the privacy and security of data now? It may not keep determined hackers at bay, but it will go a long way towards reducing your risk exposure and building trust with customers, investors and regulators alike. Isn’t that the best way to celebrate World Consumer Rights Day anyhow?

3 Steps to Take Now

  1. Download our eBook that explores the current Tech Terrain for Risk Mitigation.
  2. Find out why GDPR isn’t just for multinationals in our new GDPR factsheet .
  3. Read volume 3 of The Trust Issue, which focuses on how technology can help companies build trust with consumers and investors.


Posted on : 15 Mar 2019 1:15 PM

Great info!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close