[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Personal Da... (blank)
Data Protection Impact Assessment Workbook
Risk Owner
Risk Level
(blank)
Calculated
Security Classification: [Insert Classification] Impact Assessment Title: [Describe scope of assessment] Version: 1 Dated: dd/mm/yy Approval: [Name of approver]
Risk Description Ref.
Personal Data Asset
Risk Scenario
Pre-Treatment Risk Owner
Existing Controls
Likelihood
Likelihood Rationale
Impact
Treatment Impact Rationale
Risk Score
Risk Level
Treatment option chosen
1 2
Select… Select…
Select… Select…
Calculated Calculated
Calculated Calculated
Select… Select…
3
Select…
Select…
Calculated
Calculated
Select…
4
Select…
Select…
Calculated
Calculated
Select…
5
Select…
Select…
Calculated
Calculated
Select…
6
Select…
Select…
Calculated
Calculated
Select…
7
Select…
Select…
Calculated
Calculated
Select…
8
Select…
Select…
Calculated
Calculated
Select…
9
Select…
Select…
Calculated
Calculated
Select…
10
Select…
Select…
Calculated
Calculated
Select…
11
Select…
Select…
Calculated
Calculated
Select…
12
Select…
Select…
Calculated
Calculated
Select…
13
Select…
Select…
Calculated
Calculated
Select…
14
Select…
Select…
Calculated
Calculated
Select…
15
Select…
Select…
Calculated
Calculated
Select…
16
Select…
Select…
Calculated
Calculated
Select…
17
Select…
Select…
Calculated
Calculated
Select…
18
Select…
Select…
Calculated
Calculated
Select…
19
Select…
Select…
Calculated
Calculated
Select…
20
Select…
Select…
Calculated
Calculated
Select…
(a further 7 columns are not shown)
Proposed control
Likelihood The following table should be used to decide upon the most appropriate likelihood for a particular threat. Likelihood 1 2 3 4 5
Description Improbable Unlikely Likely Very Likely Almost certain
Summary Has never happened before and there is no reason to think it is any more likely now There is a possibility that it could happen, but it probably won't On balance, the risk is more likely to happen than not It would be a surprise if the risk did not occur either based on past frequency or current circumstances Either already happens regularly or there is some reason to believe it is virtually imminent
Impact The following table should be used as guidance to help to decide upon the correct impact rating for a particular threat.
Impact Level
Impact Areas
General Impact Rating Description 1
Negligible
2
Slight
3
Moderate
4
High
5
Very High
Damage to Reputation
Legal, contractual and organisational Compliance
Effect on Customers
Financial Cost
Health and Safety
No effect
Very little or none
Very small additional risk Negligible
No implications
Some
Within acceptable limits
Slight
Small risk of not meeting compliance
Unwelcome but could be borne
Elevated risk requiring immediate attention
Moderate
In definite danger of operating illegally
Severe effect on income and/or profit
Significant danger to life
High
Operating illegally in some areas
Very High
Severe fines and possible imprisonment of staff
Some local disturbance to normal business operations Can still deliver product/service with some difficulty Business is crippled in key areas Out of business; no service to customers
Crippling; the organisation Real or strong potential will go out of business loss of life
Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
Risk Impact
4
5