Risks result from adverse effects of data processing and data breaches. What adverse effects do we need to consider? In doing Data Protection Impact Assessments (DPIAs), we are considering risks that result from possible harms to data subjects. Risks result from harms or adverse effects to data subjects, either through the routine processing we are considering, or from a breach of the data.
Harms could arise from
-
Unauthorised access to personal data
-
Re-identification of anonymised data
-
Unintended sharing or exposure of sensitive information
-
Excessive sharing
-
Accidental or deliberate erasure or falsification of data
-
Automated decision making or profiling
-
Data misuse
-
Inability to execute data protection rights or lack of transparency
Harms
1. Financial
- Identity theft leading to fraud
- Financial loss due to misuse of banking or payment data
- Unauthorised transactions or credit fraud
- Blackmail and extortion
- Costs of avoiding or mitigating harm (such as moving house)
- Impacted credit rating
2. Psychological and Emotional
-
Distress or anxiety from exposure of personal details, extending possibly to next of kin
-
Reputation damage due to sensitive or misleading data leaks
-
Targeted harassment, discrimination, or blackmail
3. Physical and Personal Safety
-
Risk of stalking or harassment if location data is leaked
-
Threats to personal security due to exposure of home address or routines
-
Harm to vulnerable groups (e.g. victims of abuse, protected witnesses)
4. Discrimination and Social Bias
-
Biased algorithmic decisions leading to unfair treatment
-
Profiling that affects job opportunities, insurance, or creditworthiness
-
Unfair denial of services due to automated decision-making (e.g. job market)
5. Unsolicited intrusion
-
Unwanted communications
-
Physical intrusion of privacy
6. Loss of Control over Personal Data
-
Inability to manage risk associated with data leaked to the public domain
-
Destruction of unique records
-
Time spent in attempts to understand or recover lost data
-
Limited understanding of data protection rights
7. Lack of Autonomy, Coercion, Manipulation
-
Restricted daily routines
-
Ill-informed or ill-advised decisions
8. Erosion of Trust
-
Trust in organisation damaged
-
People discouraged from reporting data protection failures
-
People discouraged from engaging in digital society
-
Trust in law and justice eroded
9. Legal and Regulatory
-
Violation of data protection laws (e.g., GDPR, DPA2018)
-
Fines or penalties due to compliance failures
-
Liability claims from affected individuals
10. Operational and Business
-
Loss of trust and reputational damage
-
Increased regulatory scrutiny and audits
-
Disruption of business processes due to data integrity issues
Each of these risk categories should be carefully evaluated, considering likelihood and impact, to ensure that appropriate mitigation measures (e.g., encryption, access controls, privacy-by-design) are in place. Would you like help with a risk assessment framework for data processing and breaches? Contact us today!