Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today
Estimated Reading Time: 7 minutes

It happens every day: marketing purchases a new platform with the promise of helping the organization meet and exceed business targets. When it comes time to implement the revolutionary new solution, a privacy review is initiated as part of the onboarding process. When legal and privacy reviews are conducted, it becomes clear that many of the features and functionalities are a no-go: personal data is being disclosed to a third party not currently reflected in disclosures to users; first-party data required doesn’t have appropriate consent from consumers; and the targeting functionality relies upon automated decision making, which creates a high compliance risk. 

It’s going to take 12 months before the platform is‌ usable in a compliant manner. Millions have been spent on a solution which can’t realize any return on the investment until next year, at the earliest. Frustrations abound. 

In today’s changing marketing and advertising technology environment, with third-party cookies being deprecated and new AI features being introduced to solve for subsequent signal loss, scenarios like the one described are increasing in their frequency. More personal data is required in advertising technologies; more automated decision making is embedded; and privacy risks are heightened. It is imperative for privacy and legal teams to clearly define policies and processes to enable decision makers in marketing and advertising functions to identify and consider compliance risk in all of their decisions. 

The process begins and ends with legal and privacy teams. Clear guidance must be provided for what constitutes high, medium, and low-risk activities. To define these parameters, it is helpful to ask: if something goes wrong, what is the likelihood and impact of punishment? 

Start with an initial assessment of if any personal data from consumers is involved. If not, risks are generally lower as the processing activity is unlikely to be in scope for privacy regulations. There are still risks for brand reputation and potential disclosure of proprietary information, which should be considered, but in the privacy context, any activities involving personal data are the focus. 

When dealing with personal information/personal data of users, the stakes are raised. To assign risk for these scenarios, it is helpful to look at guidance from regulatory bodies, especially those in Europe, as guidance is much more explicit than compared with guidance from the United States. While the examples provided are from EU regulators, the principles are universal.

In April 2022, the European Data Protection Board published guidelines for how administrative fines should be calculated for supervisory authorities when assessing GDPR infringements. In October 2023, the UK’s Information Commissioner’s Office published draft guidelines for the same. In both, the specific information highlighted to be considered in an assessment of the seriousness of a violation is similar, with the following factors detailed:

  • The nature of the infringement

The nature of the infringement is assessed by the concrete circumstances of the case. This considers what the infringed provision seeks to protect (i.e. what right of the consumer or obligation of the business has been violated). In addition, the degree to which the infringement prohibited the application of the provision and fulfillment of the objective is considered. 

  • The gravity of the infringement

The gravity of the infringement is essentially the severity of the violation. Several explicit factors are defined to be considered to determine the gravity of the infringement:

  1. The nature of the processing – This includes the context in which the processing is functionally based (business activity, non-profit, political, etc.) as well as the characteristics of the processing. The nature of processing are the techniques involved. If the purpose is to monitor a user, evaluate personal aspects of the user, is an application of new or innovative technology, if the processing is opaque, and if the processing involves automated decision making with the potential for a negative impact on the user, then risk is higher and thus more weight is added. More weight can also be added to this factor if there is a clear imbalance of power between the controller and the data subject. 
  2. The scope of the processing – This factor considers the degree of difficulty the data subject and supervisory authority has to curb the unlawful conduct. It factors in if the processing is local, national, or cross-border to help determine this as well as the amount of resources dedicated to the processing activity by the controller. The larger the scope, the more weight can be attributed to this factor. 
  3. The purpose of the processing – The purpose for which the processing is happening or the “why” behind the processing. If the processing is central to a controller’s core activities, then it can be given more weight as well as if the processing has a significant impact on outcomes for the data subject.
  4. The number of data subjects – This considers both the number of subjects impacted as well as the number potentially affected or put at risk due to the infringing behavior. Also considered is if the infringing processing is of a systemic nature. To determine this, the ratio of impacted subjects to total subjects can be considered. In both cases, the higher the number, the more weight can be factored in. 
  5. The level of damage – This factor considers what harms were realized by the data subjects as a result of the processing and the extent to which rights and freedoms were violated. 
  • The duration of the infringement

For how long the infringement has been going on. In general, the longer the duration, the more weight is attributed.

  • Intentional or negligent character of the infringement

If the infringement was done intentionally or is instead a breach of the duty of care, which is required by law. Intentional infringements carry more weight, but ignorance is not bliss. Negligent infringements at best can be regarded as neutral with weight assigned based upon the degree of negligence in the case. 

  • Categories of personal data affected

Regulations clearly define the categories of personal data which carry more weight (sensitive data, data of minors, etc). The type of data involved in the infringing processing is considered in the assessment of the violation’s seriousness.

An assessment of this information allows the supervisory authority to classify the seriousness of the infringement as low/medium/high, with guidance for the legal maximum penalty for each classification tier. 

Similarly, legal and privacy teams can use these factors to assign compliance risk levels to new strategies and solutions proposed by business teams.

Identifying and assigning compliance risk for all activities is the first step. To empower decision making within business teams, it is also necessary to define policies and processes to manage activities within each risk level. The specifics for these standards will differ based upon the organization and the risk tolerance of the compliance and legal teams. Factors such as the size of the organization, applicable compliance regulations, the industry operating in, and the nature of consumer data dealt with should all be considered. Within the context of the organization’s risk tolerance, specific actions such as documentation requirements, ongoing monitoring, contractual obligations, risk mitigation considerations, and review processes are all defined for low/medium/high risk activities. 

The goal is to embed a privacy-centric mindset within business teams by making them privacy conscious. Every new strategy and solution should be evaluated through the lens of compliance risk, with risk mitigation considered in the solution design processes. Articulating a process for assignment of compliance risk and requirements for processing activities within each risk level empowers business teams to make privacy-conscious decisions and get solutions to market faster to satisfy business objectives.

Do you need assistance with your privacy journey?

Our team is here to help whenever you need us.


  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

Originally Published: March 4, 2024

Subscribe To Our Newsletter

March 4, 2024

Other Articles You Will Enjoy

Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

The origins of India’s Digital Personal Data Protection Act (DPDPA) began in 2012 when a report from a committee headed by a former judge…

5-minute read
Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

South Africa’s Protection of Personal Information Act (PoPIA) empowers its citizens with enforceable rights over their personal information. The law establishes eight minimum requirements…

9-minute read
HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

If you are a healthcare organization operating in the United States, you are likely aware of the significant increase in the focus on the…

9-minute read
AdTech DNA Simplifies the Complex for Global Advertisers

AdTech DNA Simplifies the Complex for Global Advertisers

As a global advertiser, knowing what is happening across your organization is an endeavor wrought with complexity.  Are your advertising technologies implemented correctly?  Do…

3-minute read
A South Asian First: Sri Lanka’s Personal Data Protection Act

A South Asian First: Sri Lanka’s Personal Data Protection Act

I know I covered India’s DPDPA first, but, as it turns out, Sri Lanka beat them to the punch. Sri Lanka’s Personal Data Protection…

6-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.