Former UK Information Commissioner and Centre for Information Policy Leadership (the “Centre”) Global Strategy Advisor Richard Thomas was invited to make a presentation at a roundtable on Privacy Risk Management and Next Steps at the Organization for Economic Cooperation and Development’s (“OECD’s”) 37th meeting of the Working Party on Security and Privacy in the Digital Economy (“Working Party”). The meeting was attended by governmental and regulatory officials from most OECD member countries, with various other participants and observers.

The event focused on several new references to “risk” in the 2013 revised OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in time for the main 2016 Ministerial meeting.  In light of these new references, Thomas outlined the Centre’s Privacy Risk Framework project, including references to the Paris and Brussels workshops and the second white paper of the project, and explained the link between risk and accountability. In discussing the paper’s main themes, he emphasized, the need for consensus around risk management models, technical standards, best practices and risk assessment tools. Thomas also stressed the key role that the OECD could play in developing and building a multinational consensus around a taxonomy of data protection harms and benefits, and a framework for assessing them.

Another speaker provided some small and medium-sized enterprises’ (“SMEs”) perspective on “risk.” He stressed that IT start-ups are mainly run by innovative, risk-taking entrepreneurs and engineers who focus on product development, sales and investment, but often are unaware of privacy issues until it is too late. He thought that a privacy risk framework template would be extremely useful for SMEs to raise their awareness of data privacy and to enable them to address basic privacy issues and manage privacy risks proactively and early on.

During the discussion that followed, the participants made the following key points:

  • Privacy risk management is a wider (and more challenging) concept than security risk management, but could learn a lot from that field;
  • The insurance and venture capital industries know a lot about risk and potentially have a great deal to offer on this topic;
  • Both organizations and regulators must set priorities and a risk-based approach is the most promising way to do that;
  • Risk assessment is one part of risk management – which is an umbrella for risk assessment, risk mitigation and residual risk management;
  • It is vital to see risk management as a balancing test, factoring in both benefits and competing fundamental rights.

In response to fears expressed by civil society that a risk-based approach could weaken fundamental rights, Thomas reminded delegates that risk management does not alter rights or obligations, nor does it take away organizational accountability. Instead, looking at the likelihood and severity of harms from the individual’s  perspective should strengthen privacy protection in the real world, according to Thomas.

At the end of the discussion, the Working Party agreed that more work on privacy risk should be done by the OECD Secretariat within its 2015-16 work program.