17 - Potential risks and security weaknesses should be identified and assessed how they may harm
Purpose:
Identifying risks and their impact can help mitigate their impact
Best Practices:
Develop privacy risk assessment to categorize sensitivity of and risk to different systems
18 - Plans should be developed to mitigate those risks
Purpose:
Having an outlined plan to mitigate risk will provide a standardized way to respond
Best Practices:
Create a minimum security policy first, and build upon it as the company grows
Examples:
NIST Framework gives a good outline, other resources on the website