Business risk assessment – table

  1. Baseline Risk
  2. Where is your digital footprint?
  3. Detailed provider questions
  4. Action Plan

Baseline Risk

Could your digital content be perceived as being about “undesirable” topics (e.g. diversity, equity, and inclusion; transgender people; HIV)?
Have large tech companies abandoned their policies relating to it?
Have large tech companies spoken out against it?
Could you be perceived as an “undesirable” client?Think about how sex workers are removed from Venmo and Paypal – could that be you?
Who are you holding sensitive data on? Are any of them at a higher level of risk?Employees, volunteers, customers, partners
e.g. if you have information about the transgender status of people based in the US, that is an existential threat to them and requires additional security

Where is your digital footprint?

Where is your cloud data hosted?
Do you have local backups of your data?
Who did you buy your domain name from? Where are they based?
Who hosts your website? Where are they based?
Who built your website? Where are they based?
What other technical tools do you use?

Detailed provider questions

Ask these for each provider you use

Where are the providers based?
What data do they have?
Where are they storing it?
Are you able to request that your data is hosted outside of the USA?
How complex would it be to move away from this provider?
What would the impact be of losing all data hosted by this provider?
Can you request a full download of data they hold on you? How long does this take?
What third party providers (“subprocessors”) do they use?
How reliant are they on government contracts? This will indicate how much they may proactively make changes to align with government guidance.
What public statements have they made about policies that affect your business?
Review your contract! How much notice do you get for Terms of Service changes that could affect you? What protections or recourse do you have if your organisation is deplatformed?

Action Plan

RiskMitigationTimeline
e.g. we have no back up of our cloud data but it’s impractical to get off AWSSet up a monthly backup to VaultCloud: minimizes costs & build requirements while still increasing security.Three months
e.g. we have information on the transgender status of people currently located in the USAWe do not require this information for our core business purposes. We can delete this information.One week: assess and communicate with affected people.
Two weeks: delete information.