Formulating a privacy risk register
Formulating a privacy risk register

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Formulating a privacy risk register
  • Identifying privacy risks: risk assessment
  • Scoring each risk
  • Completing the privacy risk register
  • Sample privacy risk register
  • Is it mandatory to have a privacy risk register?
  • Monitoring and updating your privacy risk register

A privacy risk register is a tool that allows you to collate, record, track and manage all your data protection, information security and privacy risks information in one place. This Practice Note guides you through the process of creating a privacy risk register. See Precedent: Privacy risk register.

Identifying privacy risks: risk assessment

To formulate an effective privacy risk register, you must first identify the risks your firm faces. You can do this by completing a risk assessment—see Precedent: Data protection risk assessment—long form or Data protection risk assessment—short form.

There is no established format for a risk assessment, but it would make sense to consider:

  1. what personal data do you receive and/or hold?

  2. how do you process data?

  3. for what purposes do you process data?

  4. do you transfer or share data and, if so, to whom and how?

  5. how does data move within your organisation?

  6. do you transfer data outside the EEA?

  7. how do you ensure data remains accurate and up-to-date?

  8. how long do you keep data?

  9. how do you destroy data?

Precedent: Data protection risk assessment—long form guides you through the process of assessing your risks, using the above criteria. For each risk you identify in the risk assessment, you are given the option to:

  1. record an action point to address the risk immediately—this would be suitable for simple risks

Related documents: