Working with risk assessments
A risk assessment is an assessment that you as a data controller must make of the risks to which the data subjects (customers, employees, etc.) are exposed.
The regulation requires risk assessment to ensure that technical and organisational security measures are proportional to the information you as a data controller process. This means that you plan your security measures based on what data you handle to achieve the best possible security and protection of the data subject’s information.
Create a risk
To assess a risk, you must first create a risk. This is done by pressing ‘create’ (1) or the edit icon (2)
3. Function icons from left to right; delete and archive.
When you click ‘create’ or ‘edit’ a form opens:
1 – Enter the title of the risk. It’s up to you what the title should be, depending on which title that makes it more manageable for you.
2 – Once you have identified a risk and created a risk category, clicking ‘create risk assessment’ allows you to open a risk assessment form. Here you will also be able to see if a risk assessment has already been carried out.
3 – Click create if you have simply identified a risk but do not want to do the risk assessment immediately or want to create a risk category before you start the risk assessment. This will save the risk in the overview, but without a risk assessment to be carried out later.
Create risk assessment
Once you’ve created both risk and risk category, you can start the risk assessment. This is done by clicking on section no. 2 in the image above. A field will appear where you need to start by deciding what you want to risk assess. Clicking on the field will produce a list of the following choices that you can make:
‘General’ is for the risks that are of a general nature to the organization. Examples include ‘burglaries’ belonging to the risk of ‘malicious people’. A general risk assessment can be either internal or external in nature. This is indicated on the risk assessment. A distinction is made between internal and external risks, as internal risks are often reduced through processes and training, while external risks are most often reduced by implementing measures (e.g., an alarm system).
If you do not choose general, you can choose to risk assess a work process, a data recipient, or an IT system / information asset. If one of these three is selected, the work process, data recipient or IT system / information asset is risk assessed in the field that appears next to it. The list adapts to the type you have chosen and will represent the work processes, data recipients and IT systems / information assets that you have created in the portal.
Describe risk assessment
Once you have chosen which type you risk assess, the risk assessment form adapts to it. The first thing it will ask you to do is describe the risk assessment. Here you describe how the risk is expressed. For example, it may be a description of how human error can affect the work process for receiving applications.
The consequences for the data subject
If there is a breach of the data subject’s rights, for example by information about the data subject being hacked, leaked, or otherwise lost by the company, the consequences depend on the information:
1 – Very low – Only name or stand-alone identification information.
2- Low – More common information.
3- Medium – General information of a confidential nature (e.g., absence / payment information, etc.)
4- High – Special information.
5 – Very high – Sensitive information.
When carrying out the impact assessment, please note that you are assessing the impact on the data subject and not on the company. Most often, the assessment will be based on the classic division of general, special and sensitive information, but information that is not immediately sensitive in nature may constitute sensitive information. For example, mail delivery is provided to a person with periodicals that all point to a particular religious or political affiliation. The risk assessment must reflect this.
In the form it looks like this:
- Specify the level of consistency. The overview of which number what level has can be seen above and will also appear in section 2.
- Here, the form will show which level is selected for the consequence.
- You can click here and select some standard descriptions that have already been created.
- Here you can write some comments on why the consequence is assessed the way it is.
The probability of the risks becoming a reality
Here you need to assess the probability. The probability is influenced by various factors depending on the type of risk. There are also various measures that can reduce the risks.
The likelihood of some types of risks can be reduced through policies, guidelines and awareness training, targeted at the individual risk. In the case of internal IT systems / information assets, the probability can be affected by technical measures.
For the general risks, the probability can also be influenced through policies, guidelines, organizational measures, and security measures, which is why a specific assessment of the probability must be prepared for each risk.
The assessment of probability is therefore based on the level of impact compared to the level of security measures. If the security measures have the same level as the consequence, it will speak for a ‘very low’ / ‘low’ probability.
This part of the form is filled in the same way as the impact assessment above.
Overview of a risk
To get an overview of the individual risk, you can open an overview window. To do this, click one of the following:
In the overview, you will be able to see the title of the risk, which can be edited by clicking on it. You can see a full list of all risk assessments based on the risk you have selected. You can edit and delete each risk assessment, and see the calculated risk level on the right, along with an indicator of whether the risk is acceptable – a green check mark if it is and a red exclamation mark if not.
The ongoing work with risk assessments
In connection with risk assessments, there are some ongoing tasks that must be planned in connection with the general GDPR work.
- New risk assessments must be made every time a new work process or a new IT system is made.
- Risk assessments must be updated or inspected every time a work process is corrected, or a new IT system/data recipient is put into use.
- For all risk assessments where the calculated risk is not accepted, a measure must be implemented that reduces the risk to an acceptable level.
- All risk assessments shall be reassessed once a year. If the risk assessment remains unchanged, this may be noted in the reassessment.
- It is recommended to create a control series at an annual interval to review all risk assessments.