Office of Compliance
University of Wisconsin-Madison

Privacy Risk Reviews

Privacy risk ratings quantify the privacy risks associated with data processing. We characterize privacy risk as the likelihood of any given problem arising from data processing, multiplied by the impact that problematic data processing has on the data subject and eventually on the institution.

An equation showing that Likelihood multiplied by Impact equals Risk.

Sometimes privacy risks present compliance risks, meaning that the university could be noncompliant with a regulation. Other times, privacy risks may not result from any technical noncompliance, but still pose risks to people. Those risks should be carefully evaluated. We do this through a privacy risk review. 

Data subjects can experience various problems as a result of data processing. These may be intangible harms like embarrassment or social stigma. They may also be more tangible harms such as discrimination, economic loss, or threats to physical safety. Eventually the problems that individual data subjects experience also impact the institution by way of noncompliance costs, harm to brand and reputation, and revenue loss from customer abandonment of goods and services (Fig. 1).

A flow chart showing the initial step of 'Problem arises from data processing' leading to 'individual experiences impact' which ultimately leads to 'Organization experiences impact'.
Fig. 1 Privacy Risk and Organizational Risk Relationship based on NIST PRIVACY FRAMEWORK 1.0

We already do security reviews, so why do a privacy review too? 

As the National Institute of Standards and Technology (NIST) Privacy Framework makes clear, while managing cybersecurity risk is necessary to managing privacy risk, it is not fully sufficient because privacy risks can arise by means unrelated to cybersecurity incidents (Fig 2). UW-Madison’s review process helps to address both security and privacy risk in a way that is robust but streamlined to achieve lower impact for our partner units as they go through the risk review process. 

A Venn Diagram showing the intersection of cybersecurity related privacy events.
Fig. 2 Cybersecurity and Privacy Risk Relationship from NIST PRIVACY FRAMEWORK 1.0

How do we quantify privacy risk?

Risk = Likelihood x Impact Narrative

Likelihood
Score (1-5)

 5
LOW		 10
MEDIUM		 15
HIGH		 20
VERY HIGH		 25
VERY HIGH
4
LOW		 8
MEDIUM		 12
MEDIUM		 16
HIGH		 20
VERY HIGH
3
LOW		 6
MEDIUM		 9
MEDIUM		 12
MEDIUM		 15
HIGH
2
LOW		 4
LOW		 6
MEDIUM		 8
MEDIUM		 10
MEDIUM
1
VERY LOW		 2
LOW		 3
LOW		 4
LOW		 5
LOW
← Impact Score (1-5) →

What do our risk numbers mean?

Risk = Likelihood x Impact Narrative

Rating (Likelihood x Impact) Rating definition & prescribed action
Very High Risk
(20-25)		 There is very high risk in processing the data. The number of data subjects is very large, the data is special category data, and the data flow indicates that the data will be shared or flow through multiple tools or processes. The data is attractive to a threat actor, and there may be evidence that a threat actor has accessed data from this tool in the past. The vendor does not have a privacy program. A security review has indicated vulnerability. Impact of a breach is catastrophic to financial, employment, professional or reputational interests of the data subject and likelihood is critically likely given lack of protective measures and capabilities of threat actor.
High Risk
(13-19)		 There is high risk in processing the data. There is some combination of the following factors, though not all are present: the number of data subjects is very large, the data is special category data, and the data flow indicates that the data will be shared or flow through multiple tools or processes. Impact to the financial, employment, professional or reputational interests of the data subject is very high and likelihood is highly disruptive. Security controls exist but may not be sufficient or are not able to be assessed.
Medium Risk
(6-12)		 There is medium risk in processing the data. The number of data subjects is small to moderately large, and there may be some special category data included. The data flow indicates limited sharing, or sharing with known partners. The vendor has a privacy program or privacy policies. Impact to the financial, employment, professional or reputational interests of the data subject is potentially significant or likely. The security controls are strong or sufficient.
Low Risk
(2-5)		 There is low risk in processing the data. The number of data subjects is likely small and the majority of the data is not special category data. The data flow indicates limited or no sharing, or sharing with known partners. The vendor has a privacy program or privacy policies. Impact to the financial, employment, professional, or reputational interest of the data subject is small and likelihood is not likely. The security controls are strong.
Very Low Risk
(1)		 There is very low or negligible risk in processing the data. The number of data subjects is small, and the data is not special category data, and the data is not being shared. The vendor has a privacy program or privacy policies. Impact is negligible and likelihood is very unlikely. A security review has not indicated vulnerability.

 

Privacy Risk Mitigation and Decision Making

The UW-Madison privacy program unit in the Office of Compliance works with partner units to identify and quantify risk, but what comes next? The office does not prohibit particular tools or processing activities, rather it plays a role in risk assessment so that the partner unit can make an informed decision on risk. When privacy risk is low or medium-low, the unit may accept the risk and use the tool. Units should devote continual resources to monitoring security and privacy risk. When risk is medium and high, units have a number of options. For example:

Accepting the risk– the risk executive may decide that the risk is low and the benefit high, and that the risk is acceptable. 

Mitigating the risk– there may be additional privacy and security measures which can be put into place to mitigate the risk to an acceptable level. 

Sharing the risk– identifying contractual terms that allow UW-Madison to share the risk with other organizations, or more specific notices which allow data subjects to be informed in their decision to take on the risk.

Avoiding the risk– in some cases, the risk is too critically high and the tool, vendor, or process should not be used under the current circumstances.

 

Ask Questions or Request a Review

If you have a general privacy question, or if you see public access to special category data, contact Claire Dalle Molle at claire.dallemolle@wisc.edu

If you need a privacy and security review for a new tool or technology, contact RMC under “RMC Assessment Types.” 

If you have a question about access to institutional data, contact the relevant data steward.