Identifying undefined risks: A risk model and a privacy risk identification measure in the privacy impact assessment process

Abstract

Privacy impact assessment (PIA) has attracted the attention of privacy watchdogs and researchers for decades. This study focuses on a risk model and risk identification method, which are two crucial elements of the risk identification step in the PIA process. As a preparatory work, this article reviews national and international organizations’ current templates and guidelines and finds that PIA guidance includes multiple domains but rarely provide a risk model or a systematic risk identification method. Based on the analysis, our study offers a risk model that can capture various privacy risk realization processes. It further proposes a combination of risk identification methods that correspond to the main target domains in the PIA and the proposed risk model. This combination consists of privacy principles of a given personal information or privacy rule to check compliance with the rule, and our suggested list of risk factors is useful in inductively finding potential risk scenarios that violate social expectations of privacy.