The EU GDPR at its heart is about privacy risk. Avoiding privacy violations is about understanding and mitigating privacy risk. But what is privacy risk? The EU GDPR references it 75 times but never elaborates how to measure it. Yes, it warns that risky behavior includes large-scale data processing with the intent of personal profiling. It even outlines a recommendation for removing identification risk through de-identification — but it doesn’t spell out how an organization can operationalize privacy risk monitoring and make it actionable.
As security practitioners learned long ago measuring security risk can be instructive to managing security risk. Historically, the idea of actionable risk measurement was problematic in privacy since benchmarks were more legal than data driven. As new regulations like GDPR are phased in, however and organizations gain better insight into the data they collect and process in response, it becomes possible to move risk from a “know it if I see it” realm to one that is prescriptive and exact.