Non-compliance with regulatory requirements in respect of data protection poses enormous risk to the organisation as well as its governing body. Personal information must be processed lawfully and in accordance with the 8 processing principles.

You are expected to identify all reasonably foreseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge.

As such, it is important to complete a risk assessment exercise in order to establish exactly where the risks to your organisation lie, as well as the possibility of these risks materialising, and what the impact would be, if they do.

Completing your initial risk assessment will allow for proper planning to address these risks by:

  • avoiding them (remove the risk)
  • transferring them (such as using insurance)
  • accepting them (they are small or infrequent enough to manage) or
  • mitigating them (controls implemented to reduce the risk).

Your risk assessment should identify those risks which need urgent attention and those which don’t. Your risk treatment plan should identify the appropriate management action, resources, responsibilities and priorities for managing personal information security risks.

This then allows the governing body to strategically plan for the resources necessary to address the most critical risks first.

Vital to this process is reviewing and/or evaluating the organisation’s implementation of its strategy during the previous year and providing guidance and support to help the organisation reach the goals it has set.