A Personal data Value at Risk Approach

TL;DR

This paper introduces a quantitative risk management approach for data protection compliance, aiming to improve impact assessments through analytics, risk analysis, and expert calibration, addressing gaps in current subjective methods.

Contribution

It proposes a novel quantitative framework for data protection risk management to enhance GDPR compliance and impact assessments.

Findings

Introduces a data protection risk quantification method

Demonstrates improved impact assessment accuracy

Suggests a mindset shift in risk management practices

Abstract

What if the main data protection vulnerability is risk management? Data Protection merges three disciplines: data protection law, information security, and risk management. Nonetheless, very little research has been made on the field of data protection risk management, where subjectivity and superficiality are the dominant state of the art. Since the GDPR tells you what to do, but not how to do it, the solution for approaching GDPR compliance is still a gray zone, where the trend is using the rule of thumb. Considering that the most important goal of risk management is to reduce uncertainty in order to take informed decisions, risk management for the protection of the rights and freedoms of the data subjects cannot be disconnected from the impact materialization that data controllers and processors need to assess. This paper proposes a quantitative approach to data protection risk-based compliance from a data controllers perspective, with the aim of proposing a mindset change, where data protection impact assessments can be improved by using data protection analytics, quantitative risk analysis, and calibrating expert opinions.