Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing focuses on identifying and evaluating potential harms that could arise when processing personal data—especially when that processing is linked to offering a service or product to the public. Organizations must examine each stage of personal data handling (from collection to destruction), and connect them to possible risks, such as weak security measures, unauthorized access, or technological vulnerabilities.
The assessment involves defining threats, understanding how likely they are to occur, and how much damage they could cause to individuals or society. Once the risks are understood, entities must design appropriate controls (technical, organizational, physical) to reduce those risks, in accordance with PDPL Articles 19 and 23.
Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing
This phase involves the steps required to assess the potential negative impacts and risks arising from the processing of personal data when offering a service or product to the public. The process involves the following steps:
Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing (1)
Linking the elements of negative impact and potential risk assessment, as outlined below, to each activity identified under Paragraph (d) of Clause (I) in this guideline. An international standard for risk assessment and threat analysis may be adopted to define these elements, taking into account the following:
A. Vulnerabilities or Weak Spots: The result of an analysis evaluating the adequacy of measures taken to ensure that each processing activity complies with the provisions, controls, and procedures established by the Law and its Regulations.
B. Source of Threat: Any source, whether internal or external to the controller or processor, that engages in processing personal data for illegal purposes, whether intentionally or unintentionally.
C. Expected Event: Any action that exploits existing sources of threats, vulnerabilities, or weak spots, leading to negative impacts on personal data subjects.
D. Impacts: The level of damage caused by expected events which can be assessed by analyzing the extent of their impact. The impact may affect only the personal data subject, extend to their family and friends, or even reach the broader community.
E. Probability of Occurrence: The likelihood of an event occurring by evaluating the resources and capabilities available to threat sources that could enable them to exploit weak spots and vulnerabilities.
F. Level of Risk: The result of measuring impact severity relative to the likelihood of occurrence.
Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing (2)
Analyzing the activities outlined in Paragraph (d) of Clause (I), involving additional elements relevant to each phase. This includes identifying elements associated with assessing the negative impacts and potential risks of processing personal data, as described in this section, and evaluating their levels. These elements include but are not limited to, analyzing the activities related to enabling the personal data subject to access their data held by the controller, which involves evaluating the measures implemented and assessing their adequacy to verify the subject’s identity. Insufficient measures in this regard constitute a vulnerability that could be exploited by unauthorized individuals, potentially leading to access or misuse of the data for personal gain or harm to the data subject.
Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing (3)
Identifying suitable controls and measures to prevent risks, minimize their likelihood, or mitigate their impact when they occur. This is achieved by implementing relevant administrative, technical, and physical controls in accordance with the provisions of Article (19) of the Law and Article (23) of its Implementing Regulation.
Explanation of Second Phase: Assessing Negative Impacts and Potential Risks of Personal Data Processing
Match risk to data flow:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase says that for each data processing activity, assess threats, weak points, impacts, and likelihood of risks.
Where are we exposed?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to assess whether current security or compliance controls are sufficient or leave gaps.
Who or what causes harm?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to consider both internal and external sources that may accidentally or intentionally misuse data.
What could happen?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to understand how threats could exploit weaknesses to harm data subjects.
Who gets hurt?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to evaluate how much damage an event could cause—from individuals to the broader society.
Is it probable?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to assess how likely each risk is to occur based on threat capability and control strength.
Impact × Likelihood
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to combine the severity of impact with the chance it occurs to determine overall risk level.25(1).
Access control risks:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also says to specifically analyze risks linked to verifying identity of data subjects (e.g., weak authentication).
Reduce risk exposure:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – Second Phase also recommends administrative, technical, or physical safeguards to avoid, reduce, or manage risks.
