A Personal Data Value at Risk (Pd-VaR) Approach
What if the main data protection vulnerability is risk management? Data Protection merges three disciplines: data protection law, information security, and risk management. Nonetheless, very little research has been made in the field of data protection risk management, where subjectivity and superficiality are the dominant state of the art. Since the GDPR tells you what to do, but not how to do it, the solution for approaching GDPR compliance is still a grey zone, where the trend is using the rule of thumb. Considering that the most important goal of risk management is to reduce uncertainty in order to take informed decisions, risk management for the protection of the rights and freedoms of the data subjects cannot be disconnected from the impact materialisation that data controllers and processors need to assess. This paper proposes a quantitative approach to data protection risk-based compliance from a data controller’s and processor’s perspective, with the aim of proposing a mindset change, where data protection impact assessments can be improved by using data protection analytics, quantitative risk analysis, and calibrating experts’ opinions.
© The Author(s) 2024. Published by RITHA Publishing. This article is distributed under the terms of the license CC-BY 4.0., which permits any further distribution in any medium, provided the original work is properly cited maintaining attribution to the author(s) and the title of the work, journal citation and URL DOI.
Enríquez, L. (2024). A personal data value at risk (Pd-VaR) approach. Journal of Research, Innovation and Technologies, Volume III, 2(6), 141-158. https://doi.org/10.57017/jorit.v3.2(6).05
[1] Aletras, N., & Lampos, V. (2016). Predicting judicial decisions of the European Court of Human Rights: A Natural Language Processing Perspective, Pee J. Computer Science 2, e93, 1-19.
[2] Angelopoulus, A., & Bates, S. (2022). A Gentle Introduction to Conformal Prediction and Distribution-Free Uncertainty Quantification, arXiv:2107.07511 [cs.LG], [online], pp. 1-51.
[3] ARTICLE 29 DATA PROTECTION WORKING PARTY, Statement on the role of a risk-based approach in data protection legal frameworks, adopted on 30 May 2014, Brussels, 2014 [online].
[4] Ballota, L., & Fusai, G. (2017). A Gentle Introduction to Value at Risk”, University of London, pp.1-85. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2942138
[5] Cox, L. (2008). What’s wrong with risk matrices. Risk Analysis, 28(2), 497-512.
[6] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), OJEU L 333, 14 December 2022.
[7] Enriquez, L. (2024). Personal data Breaches: towards a deep integration between information security risks and GDPR compliance risks, Université de Lille, France, 2024, [online]
[8] EUROPEAN DATA PROTECTION BOARD, Guidelines 04/2022 on the calculation of administrative fines under the GDPR version 1.0, European Union, 2022 [online]
[9] Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: a FAIR Approach. Butterworth-Heinemann; 1st edition, 408 pp. ISBN-13: 978-0124202313
[10] Gellert, R. (2020). The Risk Based Approach to Data Protection, Oxford University Press, United Kingdom. pISBN: 978-0198837718, eISBN: 978- 0191874307. https://doi.org/10.1093/oso/9780198837718.001.0001
[11] Ghosh, S. (2010). Basics of Bayesian Methods, in Bang, H., et al., (eds), Methods in Molecular Biology, 620, pp. 153-175.
[12] Grabmair (M.), Ashley (K.), et al. (2015). Introducing LUIMA: An Experiment in Legal Conceptual Retrieval of Vaccine Injury Decisions using a UIMA Type System and Tools”, in Proceedings of the 15th International Conference on artificial intelligence and law, pp.69-78.
[13] Hubbard, D. (2020). The Failure of Risk Management, John Wiley & sons Inc, United States, 2nd edition, 366pp.
[14] Hubbard, D., & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk, John Wiley & sons Inc, United States, 280p.
[15] INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, ISO/IEC 27701:2019, ISO, 2019.
[16] INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, ISO/IEC 29134:2017, ISO, 2017.
[17] Josey, A. et al. (2014). Preparation for the Open FAIR Part 1 Examination study guide, Open Fair Foundation, United Kingdom, 145 p.
[18] Kahneman, D., Sibony, O., et al. (2021). Noise A Flaw in Human Judgment, Harper Collins Publishers, 454.
[19] Katz, D. et al. (2017). A General Approach for Predicting the Behavior of the Supreme Court of the United States, arXiv:1612.03473 [physics.soc-ph], pp.1-15.
[20] Kemp, M., & Krischanitz, C. (2021). Actuaries and Operational Risk Management, Actuarial Association of Europe, [online], p.31.
[21] Koops, B. (2014). The problem with European data protection law. International Data Privacy Law, Volume 4, Issue 4, 255.
[22] Kochenderfer, M., Wheeler, T., et al. (2022). Algorithms for Decision Making, United Kingdom, The MIT Press, 678 pp.
[23] Lawlor, R. (1963). What Computers Can Do: Analysis and Prediction of Judicial Decisions, American Bar Association Journal, 49(4), 337-344.
[24] Loevinger, L. (1949). Jurimetrics - The Next Step Forward, Minnesota Law Review, 33(5), 455-493.
[25] Loevinger, L. (1963). Jurimetrics: The Methodology of Legal Inquiry, in 28 Law and Contemporary Problems, Duke Law, United States, pp.5-35.
[26] Malgieri, G. (2023). Vulnerability and Data Protection Law, United Kingdom, Oxford University Press, 271pp.
[27] Manokhin, V. (2023). Practical Guide to Applied Conformal Prediction in Python, Packt Publishing, United Kingdom, 1st Edition, 217 pp.
[28] Medvedeva, M. et al. (2019). Using machine learning to predict decisions of the European Court of Human Rights, Artificial Intelligence and Law, 2, 237-266.
[29] MENCIK (J.), “Monte Carlo Simulation Method”, in book Concise Reliability for Engineers, University of Pardubice, IntechOpen, Czech Republic, 2016, pp. 127–136.
[30] Morey, R.D., Hoekstra, R., Rouder, J.N. et al. (2016). The fallacy of placing confidence in confidence intervals. Psychonomic Bulletin & Review, 23, 103–123. https://doi.org/10.3758/s13423-015-0947-8
[31] NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, NIST SP 800-53 rev. 5, NIST, 2020 [online].
[32] Parker, C. (2022). The Open Corporation, Cambridge University Press, Australia, 362 pp.
[33] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L 119, 27 April 2016.
[34] Rowe, G., & Wright, G. (2021). Expert opinions in forecasting: The role of the Delphi Technique, in Armstrong, J. (ed.). Principles of Forecasting, Boston: Kluwer Academic, p.135.
[35] Shapiro, S. (2021). Time to Modernize Privacy Impact Assessment, Issues in Science and Technology, 38(2), 21. https://issues.org/modernize-privacy-risk-assessment-fipps/
[36] Sousa, M. (2022). Inductive Conformal Prediction: A Straightforward Introduction with Examples in Python, arXiv:2206.11810v4 [stat.ML], [online], pp. 1-6.
[37] Sparrow, M. (2000). The Regulatory Craft: controlling risks, solving problems, and managing compliance, United States, Brookings Press, 346pp.
[38] Spina, A. (2017). A Regulatory Marriage de Figaro, European Journal of Risk Regulation, 8(1), 89-94.
[39] Vovk, V. (2013). Transductive conformal predictors. 9th Artificial Intelligence Applications and Innovations (AIAI), Sep 2013, Paphos, Greece. pp.348-360. https://inria.hal.science/hal-01459630v1/document
[40] WEF (2015). World Economic Forum, Partnering for Cyber Resilience Towards the Quantification of Cyber Threats. https://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf