Cyber Risk Advisory
Rethinking Risk: Privacy as a Strategic Enterprise Concern
Enterprise risk is entwined with each company’s business model, strategies, and operations. Each organization has a unique risk fingerprint – a combination of vulnerabilities, threats, opportunities, and risk appetite shaped by its industry, market position, and regulatory environment.
As cybersecurity and data privacy professionals, we have observed a key trend: organizations with an enterprise risk management (ERM) program are likely to have a well-defined approach to cybersecurity risk and a structured plan for legal and compliance risk. Yet data privacy risk is often overlooked.
This finding aligns with industry research. The International Association of Privacy Professionals found in 2023 that only half of surveyed respondents have an established privacy risk appetite.
This gap can be costly. Privacy mismanagement is not just a compliance issue. It introduces operational risk, weakens security postures, and erodes customer trust. The failure to integrate privacy into risk programs can lead to regulatory penalties, but also to human impacts, reputational damage, and unforeseen business disruptions.
In this blog, we’ll explore:
- What constitutes a privacy risk,
- Real-world examples of privacy risks that enterprises often miss, and
- Practical strategies to capture and mitigate privacy risks effectively.
What are privacy risks?
Privacy risk stems from the collection, use, sharing, or exposure of personal data. When privacy risk is realized, individuals experience privacy harms. Daniel Solove’s Taxonomy of Privacy Harms provides insight into the diversity of harms, from the obvious (e.g., a data breach revealing sensitive information due to the company’s failure to protect it) to the nuanced (e.g., increasing the accessibility of personal information, such as unredacted court rulings becoming searchable online).
From an enterprise-risk standpoint, privacy risk creates business risk. When harms impact individuals, businesses experience reputational damage, loss of consumer trust, and regulatory and/or legal penalties.
The NIST Privacy Framework visualizes this indirect impact as follows:
Image source: NIST Privacy Framework.
Privacy regulations can also create business risk, such as disruption to business operations when cross-border data transfers are called into question.
Conversely, cybersecurity risk arises from threats to and vulnerabilities in the systems, networks, and data being protected. This affects organizations through business disruption, data loss, and reputational damage.
While some privacy risks overlap with cybersecurity risks (e.g., data breaches), mitigation measures can be significantly different. Approaching a data store with a cybersecurity lens may lead the business to escalate security protocols to reflect the sensitivity and classification of data stored. Viewing the data store through a privacy lens, however, may question the necessity of collecting, storing, or retaining the most sensitive data.
The Consequences of Overlooking Privacy Risk
One of the tasks typically assigned to a Board of Directors is establishing the risk appetite for the business. When privacy risk is not formalized into the ERM program, the board has no visibility into the risks they pose for the business. As “unknown unknowns,” privacy risk is an unmanaged ticking time bomb.
The table below provides real-world examples of activities that introduce privacy risk, yet which are often approached solely from a cybersecurity lens. The table demonstrates the different questions that would be asked by security versus privacy practitioners. While many more risks could be identified, these are representative of the complementary insights offered by cybersecurity and privacy throughout the data lifecycle.
| Activity Creating Potential Risk | Security Lens | Privacy Lens |
|---|---|---|
IT team migrates client data to the cloud.
| Are security controls in place during transfer? | Has the Cloud Service Provider signed a data processing agreement? Have clients agreed to the new sub-processor? |
| Marketing finds user database and adds emails to marketing list. | Did marketing have authorization to access data? | Did users consent to or receive notice of marketing activities? |
| The app team needs production data (including PII) in lower environments. | Are security controls in lower environments similar to production? | Is this use allowed under data processing agreements? Could data be anonymized or sensitive fields excluded or masked to reduce risk? Can access to the identified lower environments be more tightly controlled? Could they use synthetic data? |
| Various personnel access sensitive information. | Does role-based access align with HR system? | Does role-based access take into consideration data fields with heightened sensitivity? |
| Marketing adds a new cookie to the website. | Are cookies encrypted or signed? | Is the cookie linked to a consent tool for data collection and are mandatory privacy notices and opt-out options in place? |
| Organization acquires an AI tool. | How is the AI model protected from attacks? | What guidelines are in place to protect against the risks of training the model on personal or proprietary information? |
Product team bypasses procurement, giving a vendor access to sensitive data without review.
| Does the vendor pose a security risk to the infrastructure? | Is a data processing agreement in place before sharing personal data with the vendor? If client data is involved, were they given prior notification? |
Embedding Privacy into the ERM Program
Even after mitigating security risks, privacy risks may remain unidentified and unresolved. The level of risk between privacy and security may be as different as the mitigation measures.
To capture those differences, activities need to be documented in the risk register not just as security risks, but also as privacy risks. Any time personal data is processed for business purposes, risk stakeholders should assign ownership for considering the privacy lens. Consistent visibility can also be helped by monitoring critical privacy-related metrics (see the Future of Privacy Forum’s suggestions here).
Many global privacy laws (e.g., GDPR, Colorado Privacy Act) require privacy impact assessments to formalize this process of assessing risks to the humans whose data is processed. These assessments can be valuable tools to inform the enterprise risk register.
Another helpful approach is privacy by design. This approach includes embedding privacy stakeholders during the requirements design phase, the change approval process (e.g., on the CAB), Security Architecture Reviews, and other major project decision-points. Consistently addressing the privacy perspective during the change-approval process contributes to both mitigating and capturing privacy risk within enterprise-risk perspectives.
While every organization’s privacy risks are unique, adopting cross-industry frameworks (such as the NIST Privacy Framework or NIST 800-53’s program management and privacy controls) can help risk practitioners proactively assess and manage these challenges.
Conclusion
Privacy is no longer just a legal or compliance concern. It is a business imperative with real-world consequences. When privacy risk is left out of the enterprise-risk conversation, the business suffers, threatening customer trust, operational continuity, and regulatory standing.
Leaders who want a more complete view of enterprise risk must ensure that privacy is treated as a distinct discipline. This means going beyond the security perspective to identify data risks that impact humans.
Integrating privacy risk into ERM is not just good governance. It is a strategic move that enhances the company’s business model, strategies, and operations, and promotes long-term resilience.