Recently, we've seen increased regulatory focus around risk assessment and management. Up until September 2023, the Colorado Privacy Act (CPA) and the California Consumer Privacy Act (CCPA) were the two state regulations known for setting clear guidelines for data protection assessments. In September of last year, the California Privacy Protection Agency (CPPA) released draft rules on risk assessments. The release includes several regulations, some notable ones that mandate businesses to conduct and document detailed risk assessments for Personal Information (PI) processing activities and update risk assessments whenever there are changes in the processing activities. Summarized assessments are to be submitted annually and made available to the CPPA upon request.

Matters are complicated further when third parties are involved. As businesses, we tend to outsource certain functions or work with third parties for a variety of processes, products, and services. At times, without realizing it, we can take on some of the risks of the parties we work with. And while we cannot dictate the functioning of another party, it is our responsibility to mitigate and manage risks associated with the third parties we work with. In 2023, Criteo was fined €40 million by CNIL for failing to obtain proof of consent for processing data when Criteo's cookie was placed on another company's website. Even though obtaining consent is the responsibility of Criteo's partner, Criteo is not exempt from their responsibility to verify and demonstrate that consent was obtained. More recently, in February of this year, FTC imposed a $16.5 million fine on Avast for collecting and selling consumer browser data without consent through its Czech subsidiary, Jumpshot. While Avast immediately shut the subsidiary down, the FTC fine and order still applies to Avast, requiring them to make a number of changes.

Managing data privacy risks requires first identifying potential risks, analyzing those risks, categorizing them according to their impact and intensity, implementing appropriate controls to mitigate those risks, and finally following up to ensure their successful mitigation. The process appears straightforward. But when operating in a strict regulatory environment, do we sometimes overvalue risks? Or worse, underestimate them? When we're faced with a number of risks, how do we actually understand what risks are critical and what risks can be put on the back burner? How should we prioritize risks and their controls while allocating resources? Based on what should we rank risks when highlighting them to top management?

Risk management and quantification have been around for a number of years and are used for different factors. In this article, we will be looking at some common methods of quantifying risk to see how they can be used to quantify privacy risks.

# Breaking down of the risk: A key component of the well-known Factor Analysis of Information Risk (FAIR) is factor analysis itself, or breaking the risk down into measurable factors that contribute to the entire risk. Some questions to consider at this stage would be – - How often does the risk occur? (risk frequency)

• What is the severity of the risk? (risk magnitude),

• What are the chances of the risk being exploited (likelihood),

• What is the type of impact the risk would have? The CPPA draft rules categorize the negative impacts of the risks, such as constitutional harms, discrimination harms, economic harms, impairing users' control over their data, etc.

• What is the financial impact of the risk?

• What are the controls in place, and how effective are they? (control strength). Getting clarity on these questions will help you understand and categorize your risk better.
  

# Understanding your data and the context around the risk: You can't analyze something you don't understand. When trying to quantify risk, it is crucial to first understand the components involved and the context around the risk. For example, storing personal information (PI), like users' names, home addresses, race, gender, etc., can be risky. The context of the information is also important; for example, where the data is stored, who has access to the data, why the data has been collected, to whom the data is shared with, etc., all contribute to analyzing and assessing the risk level of storing that PI. Here, it is imperative to speak to those associated with the risk itself to get first-hand, real-time information from them. Taking the above example, system owners of the systems that store the PI should be contacted, and relevant information should be obtained from them to gain a full understanding of the risk.

# Assigning numerical values to the risk factors: Once accurate information about the risk factors and their context has been obtained, numerical values can be assigned to the factors to depict its severity. An alternative to numerical values is simply categorizing the risks as high, medium, or low. Categorizing risks in this way helps plan, prioritize, and manage the risks accordingly.

# Analyze existing controls: Review the controls already in place to understand their effectiveness. Based on whether existing controls are highly effective or not, the severity of the risk can increase or decrease.

# Once the risks have been categorized, a register can be created to get an overview of the different existing risks within the company. Based on severity, different risks can be picked up and prioritized.

When assessing risks, there have been several different approaches implemented; both qualitative and quantitative metrics have been used. When it comes to privacy risks, Privacy Impact Assessments (PIAs) are key. PIAs have slowly become a regulatory requirement used to demonstrate compliance with regulations and show the effectiveness of the company's privacy program. However, even when using PIAs, quantifying and assessing the different risks is required. And while not all risks are calculable, nearly all have components/factors that can be used to assess the risk and quantify it.