A Risk-based Approach to Privacy: Improving Effectiveness in Practice

In January 2014, the Centre for Information Policy Leadership (the Centre) launched a multiyear project on the risk-based approach to privacy: The Privacy Risk Framework Project. This project elaborates on the Centre’s earlier project on organisational accountability, particularly in seeking to develop the analytical framework and tools needed to implement certain key aspects of accountability. Specifically, the goals of this project are set forth in the following Project Vision Statement: Principle-based data privacy laws often leave room for interpretation, leaving it both to organisations to make appropriate decisions on how to implement these principles and to regulators on how to interpret and enforce the law. The Privacy Risk Framework Project aims to bridge the gap between high-level privacy principles on one hand, and compliance on the ground on the other, by developing a methodology for organisations to apply, calibrate and implement abstract privacy obligations based on the actual risks and benefits of the proposed data processing. While certain types of risk assessments are already an integral part of accountable organisations’ privacy management programs, they require further development. This project seeks to build consensus on what is meant by privacy risks to individuals (and society) and to create a practical framework to identify, prioritise and mitigate such risks so that principle-based privacy obligations can be implemented appropriately and effectively. On March 20, 2014, the Centre held a workshop in Paris during which more than 50 privacy experts, industry representatives and regulators discussed their experiences and views with respect to the risk-based approach to privacy, the privacy risk framework and methodology, as well as goals and next steps in this project. This paper, titled “A Risk-based Approach to Privacy: Improving Effectiveness in Practice”, is a developed version of the earlier discussion paper distributed to the participants of the workshop. It incorporates feedback from the Paris workshop and input received in subsequent consultations with Centre members and project participants.