If you’re here, most likely you have an interest in best practices for the management of legal documents. You may wonder if all these compliance documents, NDAs, DPAs, and SLAs provide risk for your business and the data processing it does. Regardless of your location, there are laws and international standards that require you to be aware of your data processing and how it relates to the potential for losing that data. To make it easy for you to understand, we’ll go through this topic together in a question and answer format.
1. What is a risk assessment?
First of all, any risk assessment is a process organized around analysis of what happens if anything in your processes goes wrong. In other words, it’s a process focused on conducting in-depth checks and controls over your system. Those systems could be your data flow in the company, your implementation of new software, or your internal product check.
Each risk assessment has its own goal which you should be aware of before you start working on it. The goal could be, for example, a GDPR-related data flow assessment. However, you may wish to have an assessment with numerous goals. It’s up to you and specifics related to your business.
2. Why should I care?
Well, first of all, to have any well-maintained business, especially if we are talking about online-related industries, keeping an eye on your processes and safety is a must. Furthermore, in case you have any safety issues related to data loss, it’s easier to try to improve if you invest in risk assessment. A risk assessment shows how you performed the assessment and, potentially, proves that it needs to be improved. At LiveChat, we run risk assessments and update them on a regular basis. That helps us to be ready so that we can respond quickly when an incident occurs. It also gives us an overview of what we have in our system and data flow, but more about us later on.
3. How to start? What should be in my risk assessment?
First of all, you should try to answer the following questions:
- What categories of data do you have in your company? For example, name and surname of your customers, email addresses, domain names, customer IDs, shipping addresses, and billing data.
- What processing activities do you perform on this data? Remember, you should cover all processing activities you do on a particular set of data.
- What are the potential risks associated with it? As an example, let’s use LiveChat account login information. f someone has those credentials, they could access data coming from chats or send misleading information to customers.
- How possible is it that something like this will happen? Again, let’s take a look at the example of account credentials. You should analyze how you keep those credentials, with whom you share it, how easy or difficult it is to access it, and who can access it (if there is any special skill needed to access this information).
- How do you mitigate these risks? You definitely need to have some procedures to keep your data safe, and you should describe those procedures. A good side benefit is that you get a chance to think your procedures through.
- Try to evaluate the risks. Ask yourself if what you provide to protect this data flow is enough or if you need to improve it. If you see that there are some categories of data that should have special care because of its importance (for example, medical info, or billing credentials) try to determine internally what else can be done to make it safer.
4. What’s next? How should it be written down?
It sounds like a lot to do, but don’t panic. It’s not that hard. Start with clear divisions and methodology. Look at the example we used, and try to make it work for your use case. At LiveChat, we process different categories of data.
- Category: Customer: You can add a definition here to make it simpler for revision later on, so just explain who your customer is. For us, it's a person who has an active subscription at LiveChat.
- Type of data processed: name, surname, email address, contact details, business address, company name, and so on. Try to be as specific as you can.
- Processing activities: Describe what you do with the data. For example, it could be account set-up, support delivery, invoice sending, etc.
- Risks: What may potentially happen? If something bad happens, will it cause physical or financial damage? Just try to imagine what may happen if someone unauthorized accesses this data.
TIP: If doing it in order is too much to start with, try to do a mind map or just write down all you know, and then try to categorize it all.
5. Who is the best person in the company to ask for an assessment?
Usually, its different teams in your company working together. It’s always a good idea to choose a leader who has a good overview of the company. To make a good risk assessment you don’t need tons of legal knowledge, but you have to know your business and your company well!
6. I use LiveChat. Should I mention that in our risk assessment? Is it safe from the perspective of risks and mitigations to use our products?
The only right answer is yes. At LiveChat, we’ve invested a lot of time and experience in safety standards. You can feel safe that once you share your data with us, we keep an eye on it. Also, if you wish to check and see if we meet your standards (of course, after you have your own risk assessment done), you can check the information below:
- Check how safe we are by taking a look at the LiveChat Security Policy https://www.livechat.com/legal/security/
- GDPR-friendly people will enjoy this. Here is the LiveChat GDPR FAQ https://www.livechat.com/legal/gdpr-faq/
- Tech people will appreciate this. It’s the LiveChat Data Storage and Hosting Policy https://www.livechat.com/legal/data-storage-hosting-policy/
Risk Assessment is a useful tool to track your data processing, but we know that it may be a challenge. That’s why we’ve prepared a sample document for you with an explanation on how to start with your own risk assessment. Check out our template here.