RISK ASSESSMENT

The risk assessment process should be tailored to the organization’s needs. It can include the following steps:

Initial Data Flow Mapping

The deliverable for this activity is a data flow diagram or spreadsheet. It identifies data collected, accessed, used, shared, stored and deleted. Data and systems are assigned to owners and custodians. Data is classified in terms of its sensitivity which determines the strength of required controls. This is a valuable starting point to unlock a systematic approach to privacy management.

This also enables you to demonstrate to a regulator, auditor or third-party that appropriate governance is in place. Sometimes data maps are requested as part of due diligence. Mapping will indicate gaps in formal ownership and reveal opportunities for improved or new controls, as well as areas for improved or new efficiency in business processes and systems.

Risk Assessment 

The deliverable for this activity is a risk assessment report. In collaboration with relevant client staff, Waltzer documents foreseeable risks and determines materiality and priority. Confirmed material risks as assigned to a risk owner, the risk response is determined, and where appropriate a risk mitigation plan is developed.

A periodic risk assessment is required by many laws, regulations, guidance and standards. It helps move beyond compliance to a best practice posture.

Policy and Procedure Documents Review and Gap Analysis

The deliverable for this activity is a review report. Waltzer reviews any internal policy and procedure documents for adequacy. These typically includes the internal privacy policy, privacy impact assessment procedure, data breach response procedure, access and correction request procedure, complaints procedures and other associated documents. This is an audit of your organization’s privacy readiness. We provide recommended mark-ups to remediate shortcomings as part of this report.

Note: If key policy and procedure documents do not currently exist, we can help you to produce them.

Gap and Risk Register

Waltzer can provide a Register with control gaps and risks identified during our assessment. This facilitates active tracking and management of gaps and risk formally identified during earlier stages of assessment and can be maintained for future use.