UW Privacy Office

Risk Profile

Last updated on December 15, 2022



Upholding UW values and Privacy Principles when processing personal data requires that the UW first identify and manage the potential risks of harm for individuals and privacy-related risks for the UW. To do this in a cohesive and efficient manner, the Privacy Office has implemented the TrustArc Privacy Management Platform as a standardized mechanism for UW units to:

  • Inventory essential information for assessing risk that are associated with their third parties, systems, and business processes, such as the personal data elements, purpose, legal requirements, volume of records, and relationship to activities that are considered high-risk.
  • Review their risk profile before and after controls are in place.
  • Assess and manage potential risks (as needed).


The risk profile in TrustArc helps all areas of the University:

  • Develop a common understanding of risk related to predefined data subject types, data elements, and processing purposes, especially those that are higher risk /sensitive as determined by the University.
  • Efficiently and accurately identify the potential impacts and risk of harm to individuals when engaging in personal data processing.
  • Produce risk reports that summarize risks involved with third-party relationships, systems, and business processes.
  • Review inherent risk (i.e., amount of untreated risk before trying to reduce the risk) and residual risk (i.e., amount of risk remaining after controls are put into place).
  • Uphold UW’s values and Privacy Principles and meet legal and ethical responsibilities related to personal data.

The risk profile calculation for individual records and the profiles will fluctuate over time based on the reevaluation of risk indicators by the Privacy Steering Committee and in relationship changes in legal requirements over time.


To learn more about the Risk Profile in TrustArc, registered users can access the user guide resources via TrustArc’s User Guide Risk Profile section:

Using the Risk Profile

Third-party contacts, system owners, and business process owners

The risk profile is an informational resource for individuals responsible for third-party relationships, systems, or business processes. While the risk profile does not tell units what to do, it provides clarity about the data processing activities that are high-risk, what the inherent risk is before implementing controls, and the residual risk after relevant controls are implemented.

To understand the risk profile and how it can provide insight into risks related to third-party relationships, systems, and business processes, individuals with TrustArc access should review the resources on this page.

Depending on the result of the risk profile, you may be required or advised to complete a privacy assessment.