The DPIA Risk-Scoring Cheat Sheet
A one-page reference for scoring privacy risk the way a practitioner actually does it — proportionate, defensible, and quick. Drop your email and it unlocks below (and lands in your inbox).
DPIA Risk-Scoring — Quick Reference
1 · Score likelihood × severity
| Severity ↓ / Likelihood → | Rare | Possible | Likely |
|---|---|---|---|
| Limited | Low | Low | Medium |
| Significant | Low | Medium | High |
| Severe | Medium | High | Critical |
2 · Confirmed vs. not-yet-known
Score what you know. A confirmed deficiency (you've seen the gap) carries its full rating. A not-yet-known item (you've asked, no answer yet) is an open question, not a Critical — log it as Medium pending evidence and re-score when the answer arrives. This one habit keeps a register from crying wolf.
3 · Is a DPIA legally triggered?
You generally need one if any is true: large-scale processing of special-category data; systematic monitoring of a public area or workforce; automated decisions with legal/significant effect; or a new technology whose risk you can't yet bound. If two or more are borderline, run it — the assessment is cheaper than the argument later.
4 · Residual-risk sign-off (paste-ready)
“After the mitigations above, residual risk is assessed as [Low/Medium]. Remaining open items are tracked in the action table with owners and dates. Processing may proceed under monitoring; re-assessment is triggered by any change to scope, data categories, or vendor.”