Your Privacy Risk Score:  What Is It and How is it Calculated?

What is your organization’s privacy risk score?  Do you know?  How about the privacy risk scores of each employee and vendor/partner associated with your organization?  Do you have that information readily available as part of your data privacy risk mitigation practices?  Don’t feel bad if you do not know the answer to these questions.  Many do not.  Yet, even those who do have some answer to these questions may not have as clear an understanding of their risk as they think they do.  Why?  Because how much does anyone really know about privacy risk scores; how they are derived; how accurate the underlying data/calculations may be?  Do you know how your organization came by any metrics of its data privacy risk?

Whether you already have some kind of privacy risk assessment and scoring process in place or not, understanding what these terms mean and how these assessments and scores are derived is critical to protecting your organization and its people.  Even if you’re already engaged with a solution provider purporting to provide privacy risk assessments and privacy risk scores to you, it is imperative to understand how they’re derived and whether or not what you’re being told about your risk is accurate and actionable.

This paper answers the questions “What is a privacy risk assessment and a privacy risk score?” and “Can I trust the accuracy of the scoring that may already be in place for myself or my organization?”  It also illuminates the enormous variability of scoring mechanisms being developed and deployed by data privacy management professionals – whether they’re working in-house or with a third-party provider of privacy management services.  

It is important because there are so many offerings and methodologies available, it can be difficult to know whether one’s chosen strategy is appropriate or even effective at all.  And nothing is worse (or more dangerous) than operating under a false sense of security when it comes to the truly consequential risks associated with inadequate data privacy in the workplace.

The Rise of the Data Privacy Management Industry and Role of the Privacy Risk Score

As awareness continues to grow surrounding the very real risks and consequences associated with inadequate data privacy, individuals and organizations alike seek products and services designed to protect themselves from harm.  Demand for such products, services and talent is at stratospheric highs as examples and evidence of the harm suffered by individuals and organizations piles up in daily news reports. Fortune Business Insights reports “the global data privacy software market size was valued at $1.99 billion in 2022 & is projected to grow from $2.76 billion in 2023 to $30.31 billion by 2030”.  CPO Magazine reports open data privacy jobs jumped by 30% in 2022 and are expected to remain high for the foreseeable future.   

Reports of cybercrimes leveraging unsecured external data and Personally Identifiable Information or “PII” are at all time highs and are accelerating in frequency.  Organizations are racing to find ways to slow, arrest and eventually reverse the tide of crimes like ransomware attacks, social engineering scams, physical attacks on employees, IP theft, HR poaching and other damaging activities where data privacy (or lack thereof) is the critical factor in the success of wrongdoings.

The current Privacy Risk Study produced in 2023 by the International Association of Privacy Professionals (IAPP) with Big Four accounting firm, KPMG reveals evidence of the awareness of the need for privacy management solutions.  It also highlights the depths of today’s confusion about how to address the challenge.

The study’s key takeaways included a seemingly clear understanding of the privacy risk types among the study’s participants.  The IAPP report says, “The five highest priority privacy risk domains identified by participants were data breaches, non-compliant third-party data processing, ineffective privacy by design implementation, inappropriate personal data management and insufficient privacy training for employees.”   However, the report also notes that, “While the complexity, variety and scale may vary from organization to organization, all organizations that process personal data contend with privacy risk.” 

The difficulty in properly achieving the identified privacy management goals lies in overcoming several daunting hurdles.  Perhaps the most difficult of these is the inability to deliver privacy compliance programs that can effectively keep pace with ongoing, fractious regulatory change.  IAPP says, due to “the challenge of obtaining and subsequently maintaining full compliance with proliferating, and even conflicting, privacy laws around the world… organizations need to find ways to identify, assess, evaluate and treat privacy risk.”

While the challenge of evolving regulatory requirements impacts more at the organizational level, there are also difficult challenges posed by the evolving online activities of individuals.  The scientific journal, Science Direct, a recently published scholarly article titled, “Privacy Risk Assessment and Privacy-Preserving Data Monitoring”.  The highly relevant piece posits that, “The widespread use of digital services has led to individuals’ concerns on security and privacy, as well as on the processing of their personal information by data processors and third parties. On the other hand, technological advancements continue to deliver services, tools, and applications that are increasingly demanding of Personally Identifiable Information (PII). These demands are justified for the sake of data analytics, to drive businesses, and generally to enhance user experience.  This is applicable in a large variety of areas: public administrations, health care, business and many others. In this context, demand for novel and effective ways of protecting and controlling PII has never been so high.”

More to the point as regards the efficacy of solutions designed to address privacy management, the authors of the paper stated, “Although organizations mostly comply with regulations, there is a lack of approaches where users, not organizations, are the benefited party. As such, it is necessary to develop solutions that are not only compliant with privacy regulations but also user-driven. Users need to fully understand how and why their personal data is processed by third parties. They should also be involved when their data is exchanged between third parties, especially when such data transitions may – in some cases – pose privacy risks.” 

A bit later in this paper, when examining “what to look for in an effective privacy risk management solution” this important distinction – concerning the differences between the privacy risks facing individuals and organizations – will be more apparently salient.  The reasons why the best solutions address both individual and organizational privacy risks and scoring practices are elaborated further.

What is becoming clear to those tasked with managing data privacy risk is, in a climate where organizations grapple with a complex privacy risk environment and evolving threat types, it can be costly and difficult for organizations to manage these processes using strictly internal resources. Moreover, shifting consumer expectations on privacy, and increasing scrutiny on the privacy practices of businesses and organizations puts further pressure on those responsible for protecting information security.  The following data from the IAPP/KPMG report crystalizes the broad awareness of the challenge and the limited capacity of organizations to address it.

Almost 93% of organizations indicated privacy is a top-10 organizational risk, and 36% ranked it within the top five.

83% of organizations place some kind of privacy risk information in their annual report.

64% of organizations have a privacy risk management program that is fully integrated into their overall enterprise risk management program.

Only 50% of organizations have an established privacy risk appetite.

Almost 30% of organizations use spreadsheet technology to help manage their privacy risk efforts.

The most common and most emerging privacy risk identified by 21% of participants was difficulty maintaining compliance across various regulatory regimes with differing and/or evolving requirements.

This juxtaposition between the awareness of the need for solutions to privacy risk management and the relative inability of organizations to address the monumental task explains the rise of third-party solution providers.  An entire marketplace for privacy management solutions has emerged to address the burgeoning demand for the epidemic of cybercrimes enabled by unsecured external data.  But are these emerging solutions and services any better equipped to handle the job?   As with any other service or product, there is a wide spectrum of offerings with varying levels of quality and efficacy. 

Some of these new offerings use technology to address the challenges of identifying, measuring and mitigating data privacy risks.  Others rely on manual processes and training.  Most employ a proprietary combination of tech and people power to attack the problem of data privacy exploitation.  One thing nearly all these solutions have in common, however, is some form of assessment and scoring mechanism aimed at quantifying the risks facing an organization with respect to its level of vulnerability.  Simply put, in order for any individual or organization to understand its risks (and whether or not applied solutions are succeeding at lowering said risks) they must first be able to quantify and measure the risks.  The old saw attributed to management guru Peter Drucker, “If you can’t measure it, you can’t manage it.”

Enter the “privacy risk assessment” or “privacy risk score”.  These terms and the practices they define represent the heart of most solution offerings in the market today.  Every solution must be able to demonstrate its ability to identify and quantify data privacy risk so that they can measure their efficacy at mitigating the risks found.  To devise an assessment and scoring methodology, most privacy management solution providers follow a similar, logical process. 

1. Assess an organization’s risk management framework for holding and manipulation of all forms of unsecured external data.
2. Quantify key capabilities for protection and security, then assign weights to the organization’s policies, practices related to privacy management and information security.
3. Derive a qualitative measure or “score” of the risks facing each specific organization’s operations.
4. Use that scoring methodology as a benchmark against which to measure the efficacy of efforts to reduce privacy risk.

These four broad steps are mirrored and greatly elaborated by an exhaustive document on Privacy Risk Management produced by the Information Systems Audit and Control Association or ISACA.  The ISACA serves more than 170,000 constituents (members and professionals holding ISACA certifications) in more than 180 countries in roles such as IS auditor, IS security professional, regulator, chief information officer, chief information security officer, internal auditor and others.

In the ISACA document, a similar process is laid out in much greater detail.  Aimed at creating and implementing a privacy risk management framework, the ISACA elaborates on how to conduct privacy risk assessments.  It also introduces more detailed guidance on whom to include in such assessments including third-party vendors (something many privacy risk management practices overlook).  It also offers guidance on the establishment of response procedures to identified privacy risks and gets very granular in its approach and definitions.  Even a casual review of the document illustrates the complexity of the challenges and underscores how difficult it is to arrive at an effective method for risk assessment and risk scoring calculations. 

This process (either the broad one or the granular one) is laudable and represents, in general terms, the proper way forward for any organization serious about privacy and reducing the risk of data breaches and other damaging privacy-driven attacks.  The problem, especially for those organizations outsourcing privacy risk mitigation to a solution provider, lies in the fact that there is no single standard for scoring.  Moreover, every solution provider develops its own recipe for what to include in their risk assessment practices, the associated weighting calculation and ultimately the derived privacy risk score. 

What to Look for in a Privacy Risk Management Solution

The IAPP/KPGM study tells us that regulation/compliance, data management and governance were the top three most common risk domains identified by participants.  So, in broad terms, the effective solution for privacy risk management must necessarily address these three focus areas.  However, in addition to these considerations, Privacy Bee offers two important focus areas to include in the process of privacy risk management.

As referenced earlier, when discussing the Science Direct scholarly article, the Privacy Bee for Business solution focuses on the three above focus areas in both of the following two constituencies of any organization that engages the Privacy Bee solution.  These two constituencies are “organizational” and “individual”.  For any risk scoring mechanism to be effective, it must assess the risks facing the organization as a whole, but also those facing every individual with systems access to the organization as well.  

Without separate focus on both these constituencies, the score derived from any assessment will be incomplete.   This is because while the organizational score correctly focuses on organizational functions such as privacy policy and governance, risk response, compliance, training and human capital management, the risk profiles of each employee and vendor/vendor employee can play an outsized role in the risk calculations.  As such, any scoring mechanism must then involve deriving a score for every individual as well as a cumulative score for every organization.  So, be sure any service or solution you engage provides for assessment and scoring of both your individual personnel and your entire organization.

From a financial perspective, you should also find a solution that provides transparency in pricing.  The more the solution appears to be a “black box” the less likely it is to be effective.  In the case of Privacy Bee for Business, all the assessment functions including Privacy Risk Assessment, Employee Risk Management, Vendor Risk Management assessment and External Data Privacy Audit are fed by user-inputted data.  And they’re available for any organization to use free of charge!  For this reason, the risk scores derived from these assessments are – by definition – agnostic and objective.  The customer is under no obligation to use Privacy Bee for Business for active risk mitigation activities.  Nor are the assessment values vulnerable to manipulation in order to justify the cost of a solution where assessment, scoring and mitigation tasks are part of a monthly subscription.

Of course, Privacy Bee for Business offers a full-service deletions request and management service that involves monthly costs based on the number of individuals included under the coverage. But, determining if the risks justify the cost can be done in great detail without spending a single cent.

What Goes into Privacy Bee Privacy Risk Assessments and Privacy Risk Scores?

Understanding what data is assessed in the Privacy Bee assessment processes – and how the risk scores are derived – helps ensure an organization fully understands where the vulnerabilities lie.  It also ensures the individuals within the organization are educated and informed as to their roles and responsibilities with respect to data privacy and risk management.   Here is how Privacy Bee for Business performs privacy risk assessment and derives privacy risk scores.

Given the limited time CIOs, CISOs, chief privacy officers and other executives have to devote to external data privacy, Privacy Bee developers constructed a solution that simplifies the process.  The Privacy Bee for Business scoring methodology uses a scale from 1 to 99.  The higher the score, the higher the risk for the individual or organization being assessed.  This simple scale makes it easy for administrators to understand intuitively where each asset – employee, vendor organization, etc. – falls on the spectrum of risk.  This supports decision support at a glance.

Without revealing the exact parameters of the weightings and calculations, here are some of the more significant factors that influence the scoring both for the entire organization and for each individual within the organization.  Because, as noted earlier, there are different considerations for each of these two broad constituencies and the calculations are different for each.

For the Individual
To gauge the relative risk profile of an individual, Privacy Bee audits and assessments review the following online locations that are likely to contain unsecured privacy data or what is referred to as “unaddressed exposures”.  The higher the volume of unaddressed exposures suffered by an individual, the higher the risk the individual could be victimized by phishing, smishing, email hijack, and other social engineering attacks which have become the primary vector for cybercrimes. For this reason, Privacy Bee looks at:

• Data Brokers
• People Search Sites
• Public Records Sites (DMV, tax assessors, voter registrations, census data, criminal records, medical records, etc.)
• List Seller Sites
• Social Media Profiles

The more unaddressed exposures uncovered by the audit and assessment process, the higher an individual’s risk score will be.  As exposures are deleted, the ongoing audit and assessment process begins to show the falling risk score.

For the Organization
Whether the assessments are performed on the client organization or any of its partners – some of the most important factors are:

• The existence of a privacy policy at the corporate level.  If there is no policy in place, the risk score will be higher. 
• The completeness of the privacy policy.  If the privacy policy is well-defined and detailed, the risk score is likely to fall lower.  If the policies are nebulous, poorly defined or appear to be based on a generic privacy template, the risk score is likely to remain toward the higher end of the spectrum.
• The existence of privacy policy compliance structures.  Having a privacy policy in place, even a well-defined one, is only effective if the policy is being implemented and enforced.  In the absence of articulated compliance processes, the risk of breach or other mal effects of inadequate data privacy remains high, and the score will reflect as much.
• The quality of the data input into the assessments and audits.  As any statistician or engineer will confirm, when it comes to qualitative analysis, the data being analyzed must be sound and clean.  The old axiom “garbage in, garbage out” applies.  If the organization doesn’t include an adequate level of quality in the data it provides to the assessment applications, the risk calculations will not be accurate.  For example, to assess the risk of all the individuals within an organization, the organization must upload employee data including such things as first name, last name, birthdate, telephone number and zip code of each employee.  If only some of these identifying data points are not uploaded, the resulting assessment or audit may be less than accurate, and the subsequent score will be questionable.
• The number of active, unaddressed exposures.  The higher the number of unaddressed exposures identified by the individual scans/audits, the higher the risk is, and the score will reflect this. 
• The completeness of deletion request tracking and execution.  If a deletion request is met with a non-response or incomplete response, this has a small, negative impact on the organization’s score.  Too many such incomplete requests can have an outsized effect on the organization score.
• The extent to which external/third-party vendors are addressed in the assessment process.  Any third-party organization with systems access – no matter how limited – represents a risk and threat.  Privacy Bee for Business offers vendor management capabilities which require audit and assessment of third-party individuals to help them lower unaddressed exposures and overall risk.  Without a focus on vendor risk management, the organization’s score will suffer.
• The completeness of (and compliance with) privacy risk mitigation training during new employee onboarding.  Privacy Bee for Business is more than scans, audits and deletions management.  Other facets of the solution include training and other immersive activities aimed at engaging the individual employee to foster awareness and affinity for good data privacy hygiene.  If these practices are robust and sustained, this lowers the risk score.
• The level of workforce coverage.  Simply put, all employees with any level of information systems access are a target for social engineering and other vectors used by cybercriminals to gain unauthorized access to sensitive information.  Organizations that opt to only provide coverage for their executive team or mid-to-upper level management run higher risks and their scores will be impacted accordingly.
• The impact of any reported data breaches.  If the organization is victim of a data breach, the risk score for the organization will increase noticeably for obvious reasons.  Over time, as the compromised data ages, subsequent audits and ongoing assessments will likely show the risk score reverting to safer tolerances. 
• Trust values based on all Privacy Bee users’ recorded trust values.   All users of Privacy Bee, whether they’re employees of an organization or simply consumers that have any interaction with the organization are encouraged to record trust levels as part of the individual’s privacy risk management practice.  If an organization suffers from lower trust scores, this also raises the risk score for the organization.

Other factors and considerations are involved in the generation of both individual and organizational risk scores.  But the above listings provide a very clear notion of what types of things are assessed and how the findings are synthesized into actionable scores that can be used to enforce good corporate governance as regards data privacy risk management. 

In closing, it is worth noting that most of the Privacy Bee for Business solution elements enumerated in this paper (as well as the other elements not mentioned here) are delivered to the market with no charge and no obligation.  These tools simply exist to help everyone – person or organization – gain perspective on their privacy risk.  Also, to help drive awareness of the challenges and adherence to best practices for safe operations online in an environment rife with peril for both individuals and for the organizations with which they’re employed.   It is equally important to note that the only way to reduce risk for all involved is to remove all unaddressed exposures.  Addressing each exposure involves submitting deletion requests for each exposure and knowing which (if any) regulatory requirements may be in effect based on the geographical location of the entity to which the deletion request is issued.  It is this process that takes a great deal of effort to effectively ensure the unsecured data is removed and remains removed.   Organizations or individuals can assume responsibility for this tedious and time-consuming task – in perpetuity over time – or, they can engage Privacy Bee for Business licenses and let Privacy Bee’s army of worker bees do the work.