Practice Note: How to Conduct a Data Risk Impact Assessment
THE PURPOSE OF DATA RISK IMPACT ASSESSMENT
The purpose of having a Data Risk Impact Assessment (DRIA) is to identify the relevant data protection risks, and to identify the appropriate measures that need to be put in place in order to avoid those risks.
According to the Information Leaflet on Privacy Impact Assessments (PIA) (Oct 2015) (“Leaflet”) issued by the Privacy Commissioner for Personal Data (PCPD) in Hong Kong, DRIA offers data users (i.e. businesses) an “early warning” by identifying and detecting privacy problems associated with the project or process before it is implemented.
Under the current Personal Data (Privacy) Ordinance (“PDPO”), it is not mandatory for businesses to conduct DRIA. However, the PCPD in Hong Kong has stated that conducting periodic risk assessments and privacy impact assessment is an important part of privacy management programme (PMP): see Privacy Management Programme - A Best Practice Guide (Aug 2018) (“Guidelines”).
This Practice Note will highlight the key features of the process for carrying out a DRIA.
WHEN DO WE NEED DATA RISK IMPACT ASSESSMENT (DRIA)?
DRIA is usually use in the following circumstances: -
(1) where a new project or product is launched;
(2) a new data handling process is introduced;
(3) where the business faces new regulatory requirement changes; and/or
(4) when new data processors are engaged.
The Leaflet also recommended that DRIA should be undertaken if business implements privacy-intrusive technologies which might affect a large number of individuals, or major change to organisational practices that might result in expanding the amount and scope of personal data has taken place.
ASSIGNING A RISK ASSESSMENT TEAM
Unlike EU’s GDPR, the PDPO does not require business to have a designated data protection officer (DPO).
However, the Guidelines does recommend business to appoint a DPO to oversee business’ compliance with the PDPO and implementation of the PMP.
In the context of DRIA, the DPO often takes the role to initiate the commencement of DRIA, and monitor, review and provide advice on the DRIA. The DPO is also responsible for assembling a team for the DRIA.
The team is usually composed of the DPO, Lead Risk Assessor, Risk Assessor, and, depends on the complexity of the scope, a Data Analyst may be needed.
SCOPE OF THE DRIA
After the risk assessment team is assembled, the team should set out the scope of the DRIA in clear defined terms. For example, in the case of assessing the data protection risks in relation to business operation, the scope should include factors such as, legal jurisdiction(s), specific business unit(s), IT systems and networks, and internal & external stakeholders.
Depends on the context and scope of the DRIA, the information and documents needed to gather for the assessment will be different.
The assessment questionnaire should involve two (2) stages. The first stage should be used for collecting general and preliminary information, such as: -
(1) objectives of the business/project;
(2) operation of the business/project;
(3) responsible officer & department;
(4) types of personal data collected;
(5) number of data subjects involved;
(6) data processor(s) involved; and
(7) cross-border transfer of personal data.
The second stage should be used to collect more specific information in relation to the data processing cycle, such as: -
(1) how the data is collected;
(2) how the data is processed;
(3) retention period and the maintenance of the accuracy of the data;
(4) intention use of the data;
(5) how the data is secured, so to prevent unauthorised or accidental access, or loss or use, of the data;
(6) what policy and or practice guidelines are in place to comply the PDPO; and
(7) other laws, regulations and industry standards which may require additional or extra safeguards in relation to personal data.
IAE - IDENTIFY, ANALYSE AND EVALUATE THE RISKS
It is important to identify and categorise the data protection risks as legal, operational or managerial risks, and analyse the risks in terms of likelihood and impact. The risks should also be classified as high, moderate or low.
After analysing the nature of the risk, the team should evaluate the risk to see whether the risk is acceptable or not, and whether it needs to be treated or not. It is then important to prioritise the tasks in a risk treatment plan. The assigned team should also decide what options they have in order to mitigate the risk, and what controls should set in place to achieve that.
DRAFTING THE DRIA REPORT
A comprehensive report should be drafted by the assigned team. The DRIA Report should include the terms of reference, limitations of the report, summary of key findings, data protection analysis, risk classifications, treatment options, and recommendations.
Once the DRIA Report is completed, the assigned team should seek the management approval and should put in place the recommendations into implementation as soon as possible.
Aurum (Data Governance) Consultancy (“ADG”) has recently been engaged by a Hong Kong-based employment agency firm to provide DRIA to their internal business operation. The DRIA went in detail to identify, analyse and evaluate the data protection risks, and made more than twenty (20) recommendations, from policy implementation to technical operational improvement.
The case is also unique as it concerned the Employment Agency Regulations (Cap. 57A) and the Code of Practice for Employment Agency in Hong Kong, which require employment agency licensees, such as our client, to observe additional data protection requirements. Our DRIA, therefore, had to assess, evaluate and address this additional legal risk.
For more information regarding how to handle data breach or data breach handling policy, please contact ADG at email@example.com or Tel: +852 3725 4806.