DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Powered by GitBook
On this page
  • A template for Privacy Impact Assessment
  • Impact
  • Likelihood

Was this helpful?

  1. Features
  2. Risk management
  3. Risk management process

2. Assess

Learn how to assess risk in Dastra.

Last updated 1 year ago

Was this helpful?

Based on the elements you've identified in the risk type and the asset context, you now need to assess the risk.

This assessment is based on probability and impact.

Determining the risk scale

To assess risk, we need to position these two values on a scale. This is the risk scale. This scale is generally based on 5 levels. In France, the Ebios method (promoted by the CNIL and ANSSI in particular) uses a 4-level scale.

For each level, a condition of application must be determined. The scale may correspond to a financial amount, for example (in terms of impact).

Dastra's scale can be customized. You can modify it by going to the workspace settings (note that only the administrator has access).

Probability (likelihood)

Probability is an evaluation of the frequency of occurrence of a risk. It is an empirically evaluated score (traditionally rated out of 5). Each risk level can correspond to a frequency of occurrence of the risk (and therefore of the threat).

Impact (severity)

The impact corresponds to the evaluation of the consequence of a feared event on the company. It is the severity of this consequence that is estimated.

Depending on the assessed risk, this impact may vary. This assessment can be estimated empirically. For example, by estimating the cost of a data leak or data unavailability following a computer attack. Event logs can help to put these past experiences into practice.

If we're talking about risks concerning individuals (in the context of the GDPR, for example), the impact will correspond to the harm suffered by the people concerned and the infringement of their rights and freedoms. We've already mentioned discrimination, the refusal of a contract, an inconvenience.

A template for Privacy Impact Assessment

We can assume that assessment is always contextual.

However, a methodology published by the CNIL for conducting privacy impact assessments provides a grid for reading the scale of risks.

Here is the table proposed by the CNIL in its PIA guide:

Impact

On this scale, the following contextual elements must be taken into account:

  • the identifying nature of the data ;

  • the nature of the sources of risk ;

  • the number of interconnections (in particular with other countries) ;

  • the number of recipients (which facilitates the correlation of initially separate data).

Likelihood

To assess probability, the CNIL suggests the following scale:

Levels
Description

Negligible

it doesn't seem possible that the sources of risk selected can carry out the threat by relying on the characteristics of the media (e.g.: theft of paper media stored in an organization's premises, access to which is controlled by badge and access code).

Limited

it seems difficult for the selected risk sources to realize the threat based on the media's characteristics (e.g.: theft of paper media stored in an organization's premises to which access is controlled by badge).

Important

for the selected risk sources, it seems possible to achieve the threat by relying on the characteristics of the media (e.g. theft of paper media stored in the offices of an organization to which access is controlled by a receptionist).

Maximal

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g.: theft of paper media stored in the organization's public hall).

On this scale, the following contextual elements need to be taken into account:

  • whether the system is open to the Internet or closed;

  • whether or not data is exchanged with other countries;

  • interconnections with other systems or no interconnections at all;

  • system heterogeneity or homogeneity;

  • system variability or stability;

  • the organization's image.

Levels
Generic impact descriptions (direct and indirect)
Examples of physical impacts
Examples of material impacts
Examples of moral impact
Levels
Generic impact descriptions (direct and indirect)
Examples of physical impacts
Examples of material impacts
Examples of moral impact
Levels
Generic impact descriptions (direct and indirect)
Examples of physical impacts
Examples of material impacts
Examples of moral impact
Levels
Generic impact descriptions (direct and indirect)
Examples of physical impacts
Examples of material impacts
Examples of moral impact
⚙️

  1. Negligible

The people concerned will not be affected, or may experience some inconvenience, which they will be able to overcome without difficulty.

-Lack of adequate care for a non-autonomous person (minor, person under guardianship)

- Transient headaches

-Time wasted repeating procedures or waiting for them to be completed - Receipt of unsolicited mail (e.g. spam) - Reuse of data published on websites for targeted advertising purposes (information from social networks reused for a paper mailing) - Targeted advertising for everyday consumer products

-Simple annoyance at information received or requested - Fear of losing control of one's data - Feeling of invasion of privacy without any real or objective harm (e.g. commercial intrusion) - Loss of time setting up one's data - Non-respect of freedom to come and go online due to refusal of access to a commercial site (e.g. alcohol due to incorrect age).

  1. Limited

The people concerned could experience some significant inconvenience, which they will be able to overcome despite a few difficulties.

-Minor physical ailment (e.g. benign illness due to non-compliance with contraindications) - Lack of care causing minimal but real harm (e.g. disability) - Defamation giving rise to physical or psychological reprisals

-Unscheduled payments (e.g.: incorrectly assigned fines), additional costs (e.g.: agios, legal fees), non-payment - Denial of access to administrative or commercial services - Lost convenience opportunities (e.g.: cancellation of leisure activities, purchases, vacations, closure of an online account) - Missed professional promotion - Account for online services blocked (e.g.: games, administration) - Receipt of targeted mailings Lost opportunities for comfort (e.g.: cancellation of leisure activities, purchases, vacations, closure of an online account) - Missed professional advancement - Account blocked for online services (e.g.: games, administration) - Receipt of unsolicited targeted mail likely to damage the reputation of the persons concerned - Increased costs (e.g.: increase in the price of insurance). Processing of erroneous data, e.g. creating account malfunctions (bank, customer, social security, etc.) - Targeted online advertising on a private aspect that the individual wished to keep confidential (e.g. pregnancy advertising, pharmaceutical treatment) - Inaccurate or abusive profiling.

-Refusal to continue using information systems (whistleblowing, social networks) - Minor but objective psychological harm (defamation, reputation) - Relationship difficulties with personal or professional contacts (e.g. image, tarnished reputation, loss of recognition) - Feeling of invasion of privacy without irremediable harm - Intimidation on social networks

  1. Important

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficulties

-Serious physical condition causing long-term damage (e.g. worsening of health condition due to poor treatment or failure to comply with contraindications) - Alteration of physical integrity, e.g. as a result of an assault, domestic accident, work accident, etc.

-Non-compensated embezzlement - Non-temporary financial difficulties (e.g.: obligation to take out a loan) - Targeted, one-off, non-recurring opportunities lost (e.g.: real estate loan, refusal of studies, internships or employment, exam ban) - Bank ban Targeted, one-off, non-recurring lost opportunities (e.g. home loan, refusal of studies, internships or jobs, exam ban) - Bank ban - Damage to property - Loss of home - Loss of job - Separation or divorce - Financial loss following a scam (e.g. after a phishing attempt) - Blocked abroad - Loss of customer data

-Serious psychological condition (e.g. depression, development of a phobia) - Feeling of invasion of privacy and irremediable harm - Feeling of vulnerability following a summons - Feeling of infringement of fundamental rights (e.g. discrimination, freedom of expression) - Victim of blackmail - Cyberbullying and mobbing

4. Maximale

The people concerned could experience significant, even irremediable, consequences that they may not be able to overcome.

-Long-term or permanent physical ailment (e.g. following non-compliance with a contraindication) - Death (e.g. murder, suicide, fatal accident) - Permanent impairment of physical integrity

-Financial peril - Substantial debts - Inability to work - Inability to relocate - Loss of evidence in litigation - Loss of access to vital infrastructure (water, electricity)

-Long-term or permanent psychological condition - Criminal sanction - Abduction - Loss of family ties - Inability to take legal action - Change in administrative status and/or loss of legal autonomy (guardianship)