Part 2: Risk Identification and Analysis

1、 Risk source identification

Risk source identification is a critical step in data compliance, aimed at assessing potential security threats to personal information processing activities and analyzing whether existing security measures are sufficient to resist these threats. This process involves identifying potential vulnerabilities that may be exploited due to inadequate protective measures, leading to security incidents.

There are many factors that determine the occurrence of personal information security incidents, which may originate from internal or external sources. For example, internal threats may include employee negligence or abuse of authority, while external threats may involve deliberate data theft by malicious attackers. In terms of vulnerability, it includes equipment damage caused by insufficient physical security measures, improper data processing caused by technical defects such as data leakage, tampering or loss, and abuse of permissions caused by management defects. It can be classified into the following four categories:

1. Network environment and technical measures;

2. Personal information processing procedures;

3. Participants and third parties;

4. Business characteristics, scale, and security situation.

2、 Risk analysis

（1） Analysis of the likelihood of risk occurrence

Next, based on the above four dimensions (network environment and technical measures, personal information processing flow, participants and third parties, business characteristics and scale, and security situation), qualitative, semi quantitative, or quantitative methods can be used to comprehensively analyze the security measures that have been taken. The analysis results can be combined with the following tables (Figures 4 and 5) to obtain the possibility evaluation results of security incidents.

Figure 4: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

Figure 5: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

（2） Analysis of the Impact on Personal Rights and Interests

In addition to the possibility of security incidents, it is also necessary to analyze the potential impact of personal information processing activities on individual rights and interests.

1. The impact on personal rights includes the following four dimensions:

(1) Restricting individual autonomy: Assessing whether data processing violates an individual's right to choose.

(2) Triggering differential treatment: Analyzing whether data usage may lead to unfair treatment.

(3) Personal reputation damage or mental stress: Consider the impact of data breaches on personal reputation and mental health.

(4) Personal and property damage: Assess the potential threat of data security incidents to personal property security.

The process of analyzing the impact on individual rights and interests includes the following four stages:

(1) Personal information sensitivity analysis stage: Referring to relevant national laws, regulations, and standards, based on the results of data mapping analysis, analyze the potential impact of personal information sensitivity on individual rights and interests. For example, the leakage and abuse of health and physiological information may have serious impacts on individuals' physiology and psychology.

(2) Analysis stage of characteristics of personal information processing activities: Referring to relevant laws, regulations, and standards of the country, based on the results of data mapping analysis, analyze whether personal information processing activities involve restricting individual autonomy, causing differential treatment, personal reputation damage or pressure from fertilization gods, personal property damage, etc. For example, publicly disclosing personal experiences may have an impact on one's reputation.

(3) Analysis of Issues in Personal Information Processing Activities: Referring to relevant national laws, regulations, and standards, based on the results of data mapping analysis, potential weaknesses, gaps, and problems in personal information processing activities can be analyzed. The identification of risk sources and the analysis of the standardization of personal information processing processes can support the analysis process at this stage, and the analysis of the severity of problems can help analyze the impact of individual rights and interests;

(4) Analysis of the Impact on Personal Rights and Interests: In the final stage, based on the analysis results of the first three stages, evaluate the potential impact and severity of personal information processing activities on personal rights and interests.

Finally, the analysis results will be combined with the following tables (Figures 6 and 7) to obtain an evaluation of the degree of impact on individual rights and interests.

Figure 6: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

Figure 7: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

（3） Comprehensive analysis of security risks

When conducting a comprehensive analysis of security risks, taking into account the possibility of security incidents and the degree of impact on personal rights, the following security risk levels for personal information processing activities are determined through comprehensive analysis (Figure 8).

Figure 8: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

To be continued