A risk assessment is an assessment that you as a data controller must make of the risks to which the data subjects (customers, employees, etc.) are exposed.

The regulation requires risk assessment to ensure that technical and organizational security measures are proportional to the information you as a data controller process. This means that you plan your security measures based on what data you handle to achieve the best possible security and protection of the data subject’s information.

Create a risk

As you are going to assess a risk, you need to have a risk first. Therefore, you need to start by creating a risk, if you haven’t done it already. This is done in the portal. Go to the menu bar in the left side, press ‘risk assessments’ and ‘risks’. When you get to the overview of risks, press ‘create’.

Read more about filling in the form for risks here. 

Creating a risk assessment

When you’re done creating a risk you can start the risk assessment. You can enter the form for filling out the risk assessment a few different places in the portal. One of the places, where you can start doing the risk assessments is in the bottom of the form for the risk itself. Another place is next to each work process. If you’re going to the risk assessment this way you need to go to the overview of work processes. If a risk assessment is missing there will be a blue mark that says ‘no available risk assessment’. The same applies to data recepients and IT systems / informationassets.

If you make a risk assessment directly from a risk you have created – human mistakes as an example – the form will ask you to specify the type as the first step as shown in the picture below.

If you make a risk assessment directly from a work process, IT system / information asset or data recepient the form will ask you to specify the risk as the first step. 

‘General’ is for the risks that are of a general nature to the organization. Examples include ‘burglaries’ belonging to  the risk of ‘malicious people’. A general risk assessment can be either internal or external in nature. This is indicated on the risk assessment.  A distinction is made between internal and external risks, as internal risks are often reduced through processes and training, while external risks are most often reduced by implementing measures (e.g., an alarm system).

If you do not choose general, you can choose to risk assess a work process, a data recipient, or an IT system / information asset. If one of these three is selected, the workflow, data recipient or IT system / information asset is risk assessed in the field that  appears next to it. The list adapts to the type you have chosen and will represent the work processes, data recipients and IT systems / information assets that you have created in the portal.

Here you can see the form of a risk assessment. In the example the chosen type is general and internal. 

1. Here you choose the type of the risk assessment, and when chosen, the rest of the form will show.
2. Here you describe how the risk is expressed.  For example, it may be a description of how human error can affect the work process for receiving applications.
3. This part concerns the consequence. If there is a breach of the data subject’s rights, for example by information about the data subject being hacked, leaked, or otherwise lost by the company, the consequences depend on the information in question:

   1 – Very low – only name or stand-alone identification information.

   2- Low – More common information.

   3- Medium – General information of a confidential nature (e.g., absence / payment information, etc.)

   4- High – Special information.

   5 – Very high – Sensitive information.

   When carrying out the impact assessment, please note that you are assessing the impact on the data subject and not on the company. Most often, the assessment will be based on the classic division of general, special and sensitive information, but information that is not immediately sensitive in nature may constitute sensitive information. For example, mail delivery is provided to a person with periodicals that all point to a particular religious or political affiliation. The risk assessment must reflect this.

   In the form it looks like this:

1. 1. Specify the level of consistency. The overview of which number what level has can be seen above and will also appear in section 2.
   2. Here, the form will show which level is selected for the consequence.
   3. You can click here and select some default descriptions that have already been created.
   4. Here you can write some comments on why the consequence is assessed the way it is.

4. Here you need to assess the probability. The probability is influenced by various factors depending on the type of risk. Thus, there are also various measures that can reduce the risks.

The likelihood of some types of risks can be reduced through policies, guidelines and awareness training, targeted at the individual risk. In the case of internal IT systems / information assets, the probability can be affected by technical measures.

For the general risks, the probability can also be influenced through policies, guidelines and organizational and security measures, which is why a specific assessment of the probability must be prepared for each risk.

The assessment of probability is therefore based on the level of impact compared to the level of security measures. If the security measures have the same level as the consequence, det will speak for a very low / low probability.

This part of the form is filled in the same way as the impact assessment above.

5. Here the result of the risk assessment will show. The estimated risk is based on the consequences and probability

6. Here it is possible to attach files to the risk assessment if necessary. You do this by clicking on the field, which will unfold the bar and it will be possible to select files that should be ulpoaded.

7. Here you can assign the risk assessment to the local portals. This is significant for the group portal, and this gives you the abillity to create one risk assessment and let it apply to several local portals, if the risk is the same for several local portals in the group. To assign the risk assessment to a local portal, you need to click the bar, which will unfold and show all the local portals connected to the group. You can choose to select all or select some individually by clicking the icon next to the local portal on. 

The ongoing work with risk assessments

In connection with risk assessments, there are some ongoing tasks that must be planned in connection with the general GDPR work.

• New risk assessments must be made every time a new work process or a new IT system is made.
• Risk assessments must be updated or inspected every time a work process is corrected, or a new IT system/data recipient is put into use.
• For all risk assessments where the calculated risk is not accepted, a measure must be implemented that reduces the risk to an acceptable level.
• All risk assessments shall be reassessed once a year. If the risk assessment remains unchanged, this may be noted in the reassessment.
• It is recommended to create a control series at an annual interval to review all risk assessments.