Data protection risk and impact assessments

Here you can find information about when and how to make a risk assessment.


What is a risk assessment?

The data protection approach to processing personal data is risk-based. A risk assessment is an objective assessment of the risks the planned processing of personal data may pose for the rights and freedoms of data subjects. Thus, when carrying out a risk assessment, you need to assess the likelihood of an event occurring, including the impact of such event on the person whose data you are processing (the data subject).   


What is the difference between a data protection risk assessment and other risk assessments?

A data protection risk assessment concerns the risks to which the data subjects are exposed when their personal data is being processed. This means that the risk assessment should not concern the data controller’s risk of sanctions, damage to reputation or similar.   

The data controller must take the place of the data subject and consider the risks to which the data subject will be exposed in the planned processing activity(ies) to be performed by the data controller.  

When should a written risk assessment be made?

Prior to any processing of personal data, a written risk assessment must be carried out by the data controller or by a data processor on behalf of the data controller. In the latter case, the data controller will make a risk assessment of the processing that the data processor is to perform.    

Who should make a written risk assessment and why?

As a researcher employed at AU, you are responsible for ensuring that, in your research project, AU complies with the statutory data protection rules. As you or your research group is most likely to know how the processing of personal data is to be carried out, you will be best suited to assess the risks to which the data subject will be exposed in the processing of his or her personal data.  
 
In other words, you must carry out a risk assessment of the planned processing of personal data before you start processing the personal data. In this way, you can assess whether you need to make an impact assessment, and which security measures are necessary to protect the personal data while you are processing it.   

How do I prepare a written risk assessment?

There are no formal requirements for the risk assessment, but it must be in writing (documented) to live up to the accountability principle of the General Data Protection Regulation.  

The risk assessment must include an assessment of the risks to which the data subject is exposed in the following areas:  

  • confidentiality,

  • integrity, and
  • availability  

There are many ways to carry out a risk assessment, but common to them all is that the risk assessment consists of: 

  • Identification of potential risks, 
  • Assessment of the likelihood of the event occurring, and  
  • Assessment of the consequences for the data subject, should the event actually occur.  

Template

This guide includes a template for carrying out a risk assessment of the planned processing of personal data in your research project. Note that the template is not suitable for large and complex research projects involving, for example, many project partners, or for IT systems, etc., as this will require a more extensive template.  
If you need an extended template, contact the Data Protection Unit at dpo@au.dk.    


Likelihood

To use the template, you have to be familiar with the scale used for assessing likelihood. Use the following criteria in your assessment of the likelihood of the event occurring: 

Unlikely (1)

The event will almost never occur.

Not very likely (2)

The event will only occur under exceptional circumstances.

Likely (3)

The event could occur in many cases.

Expected (imminent) (4)

The event will occur.


Consequences

When evaluating the consequences of an event, you should assume that the event has occurred. You should then assess the impact (consequences) this will have on the data subject.  

In your assessment of consequences, always remember to consider the number/category of data subjects, the scope/category of personal data, and remember to assess the consequences on the basis of the worst case scenario.  

Types of consequences:   

  • Physical damage: Physical damage is inflicted on the person whose data is being processed.
  • Material damage: E.g. loss of revenue.
  • Non-material damage: E.g. damage of reputation.

The degree of consequences: 

No or insignificant consequences (1)

No particular impact on the data subject in connection with the event. 

Inconvenient consequences (2)

There are shortcomings that are inconvenient, but not to a serious degree. 

Critical consequences (3)

The processing entails critical consequences for the person whose data is being processed, e.g. unauthorised disclosure of ordinary personal data.    

Unacceptable consequences (4)

The consequences of processing are so serious for the person whose data is being processed that the processing must not be carried out unless measures are taken to significantly reduce the risk of damage. This may involve unauthorised disclosure of sensitive personal data


How do I calculate the risk, and how do I interpret the result of a risk assessment?

The likelihoods and consequences each have a value from 1-4, where 1 is the lowest and 4 is the highest. The risk is calculated by multiplying the likelihood of the event occurring with the consequences of the event occurring.

Consequences
          X
Likelihood

No or insignificant conse­quences

In­con­venient conse­quences

Critical conse­quences

Un­accept­able conse­quences

Unlikely

1

2

3

4

Not very likely

2

4

6

8

Likely

3

6

9

12

Expected (Imminent)

4

8

12

16

 

After multiplying the values, you will get a figure which appears in the above matrix. The figure shows whether the risk to which the data subject is exposed is considered low = green, medium = yellow or red = high. Use the result to assess whether to mitigate (reduce) the risk, eliminate the risk where possible, or whether to accept the risk. 

Also note that, as a general rule, you will have to carry out an impact assessment if the risk is high. If you need to carry out an impact assessment, contact AU's data protection officer at dpo@au.dk for help.

The Danish Data Protection Agency has established some cases in which processing will always result in a high risk for the data subject. These cases are listed in part 7 of this template.



What is an impact assessment?

AU’s data protection officer, DPO, can help you assess whether an impact assessment is necessary based on your risk assessment. The DPO can also help guide you through the impact assessment, which must be carried out by you as a researcher.  

MORE INFORMATION WILL BE AVAILABLE SOON.