How to assess your organisation’s privacy risks

Organisations rely on personal data more than ever, collecting people’s information to fulfil any number of tasks. But the opportunities that personal data gives organisations comes with the responsibility of keeping it secure. This doesn’t just mean protecting your organisation from data breaches and cyber attacks, but also respecting data subjects’ privacy.

Personal data passes through many areas of a business, and it needs to be kept secure at all times, whether it’s saved on a database, in hard-copy form and stored in an office, or being transferred to or from third parties. Each area has its own risks, and the OWASP Top 10 Privacy Risks Project lists some of the most prominent:

  1. Web application vulnerabilities, including injection flaws (which allow attackers to copy or manipulate data) and sensitive data exposure (which allows attackers to gather sensitive information).
  2. Operator-sided data leakage, which consists of any failure to prevent the leakage of information containing or related to user data.
  3. Insufficient data breach response, such as failing to inform affected data subjects about a possible breach or data leak.
  4. Insufficient deletion of personal data, i.e. not deleting data subjects’ information after a set period of time or when it is no longer necessary.
  5. Non-transparent policies, terms and conditions, such as failing to provide sufficient information on how data is collected, stored and processed.
  6. Collection of inessential data, including descriptive or demographic information that’s not needed for the purposes of the system.
  7. Sharing data with a third party without obtaining the data subject’s consent.
  8. Outdated personal data, including incorrect or bogus data, or the failure to update data when it’s no longer correct.
  9. Missing or insufficient session expiration, i.e. failing to effectively enforce session termination. This might result in an organisation collecting additional data without the user’s consent.
  10. Insecure data transfer, i.e. failing to provide data transfers over secure channels or to put in place mechanisms limiting the leak surface.

Data mapping

To help prevent privacy risks, organisations need to make sure that data is flowing securely from one place to the next. Vulnerabilities in the flow of data lead to the risk of breaching personal information. This doesn’t necessarily mean that the data is stolen, as the definition of a breach includes the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You can manage the way data moves through your organisation with our Data Flow Mapping Tool.

Produced by Vigilant Software, this tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

With this tool, you can create consistent visual representations of the flow of personal data through your business without having to resort to time-consuming drawing methods, such as pen and paper or vector graphics.

The maps can be reviewed, revised and updated when needed, which will help you comply with new laws and regulations, such as the EU General Data Protection Regulation (GDPR).

Find out more about our Data Flow Mapping Tool >>