Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks faced by their organizations.

One of the most effective techniques for managing those risks is conducting a comprehensive privacy and data security risk assessment. Organizations use such risk assessments to maintain appropriate risk profiles based on the organization’s contractual, regulatory, and governance obligations. Regulatory schemes in some industries, including health¹ and finance,² may require risk assessments for compliance. Organizations that collect payment information to process payments as merchants or payment processors³ or deal with data collected about individuals residing in specific states⁴ may also have risk assessment obligations. Organizations commonly tailor risk assessments to meet these types of obligations for their risk tolerance and profile. A comprehensive risk assessment may include considerations of scope, documentation, timing, management, and oversight.⁵
Continue Reading Privacy and Data Security Risk Assessments: An Overview