A risk assessment is an assessment that you as a data controller must make of the risks to which the data subjects (customers, employees, etc.) are exposed.

The regulation requires risk assessment to ensure that technical and organisational security measures are proportional to the information you as a data controller process. This means that you plan your security measures based on what data you handle to achieve the best possible security and protection of the data subject’s information.

Create a risk

1. Create
-to create a risk, click here

2. Edit
-here you can edit an existing risk

3. Archive/delete
-Here you can archive or delete an existing risk

When you click “create” (1) or “edit” (2) a form opens:

1. Title
-Enter the title of the risk. It’s up to you what the title should be, depending on which title that makes it more manageable for you.

2. Create risk assessment
-Once you have identified a risk and created a risk category, clicking ‘create risk assessment’ allows you to open a risk assessment form. Here you will also be able to see if a risk assessment has already been carried out.

3. Create
-Click create if you have simply identified a risk but do not want to do the risk assessment immediately or want to create a risk category before you start the risk assessment. This will save the risk in the overview, but without a risk assessment to be carried out later.

Create risk assessment

Once you’ve created both risk and risk category, you can start the risk assessment. This is done by clicking on “create risk assessment“ (2) in the image above.
A field will appear where you need to start by deciding what you want to risk assess. Clicking on the field will produce a list of the following choices that you can make:

“General” is for the risks that are of a general nature to the organization. Examples include “burglaries” belonging to the risk of ‘malicious people’.A general risk assessment can be either internal or external in nature. This is indicated on the risk assessment.  
A distinction is made between internal and external risks, as internal risks are often reduced through processes and training, while external risks are most often reduced by implementing measures (e.g. an alarm system).

If you do not choose general, you can choose to risk assess a work process, a data recipient, or an IT system / information asset. If one of these three is selected, the work process, data recipient or IT system / information asset is risk assessed in the field that appears next to it. The list adapts to the type you have chosen and will represent the work processes, data recipients and IT systems / information assets that you have created in the portal.

Describe risk assessment

Once you have chosen which type you risk assess, the risk assessment form adapts to it. The first thing it will ask you to do is describe the risk assessment. Here you describe how the risk is expressed.  For example, it may be a description of how human error can affect the work process for receiving applications.

The ongoing work with risk assessments

In connection with risk assessments, there are some ongoing tasks that must be planned in connection with the general GDPR work.

• New risk assessments must be made every time a new work process or a new IT system is made.
• Risk assessments must be updated or inspected every time a work process is corrected, or a new IT system/data recipient is put into use.
• For all risk assessments where the calculated risk is not accepted, a measure must be implemented that reduces the risk to an acceptable level.
• All risk assessments shall be reassessed once a year. If the risk assessment remains unchanged, this may be noted in the reassessment.
• It is recommended to create a control series at an annual interval to review all risk assessments.

The consequences for the data subject

If there is a breach of the data subject’s rights, for example by information about the data subject being hacked, leaked, or otherwise lost by the company, the consequences depend on the information.

When carrying out the impact assessment, please note that you are assessing the impact on the data subject and not on the company. Most often, the assessment will be based on the classic division of general, special and sensitive information, but information that is not immediately sensitive in nature may constitute sensitive information. For example, mail delivery is provided to a person with periodicals that all point to a particular religious or political affiliation. The risk assessment must reflect this.

In the form it looks like this:

1. Assessment
-Specify the level of consistency. The overview of which number what level has can be seen above and will also appear in section 2.

2. Level for consequenses
-Here, the form will show which level is selected for the consequence.

3. Comments
-Here you can write some comments on why the consequence is assessed the way it is.