How to assess privacy risks?

On this page: risk, security, assessment, harm, damage, dpia, threat, secure, measure, safeguard, protect, plan, probability, likelihood, impact
Date of last review: 2023-04-18

Before you start your research project, it is important to consider the risks and their severity for data subjects in your project. This assessment will inform you on which (additional) safeguards to put in place to mitigate the risks.

Privacy and security risks are usually outlined in a privacy scan or Data Protection Impact Assessment, and purely security risks in a data classification. If you create an algorithm that can affect people, an “Impact Assessment Fundamental Rights and Algorithms” may be required or combined with any of the before mentioned assessments.

Risk assessment step by step

When going through the below steps, take into account at least the following risk scenarios:

  • Data breach (unintended security risks): someone unauthorised gains (or keeps) access to personal data, or personal data are lost due to a security incident.
  • Inability for data subjects to exercise their rights: for example, data subjects have not been (well-)informed about data processing, there is no contact person to ask for data removal, or there is no procedure in place to find, correct or remove data subjects’ data.
  • Intrusion of personal space: for example, you observe data subjects in a place or at a time where/when they would expect a sense of privacy (e.g., dressing rooms or at home). If there is secret or excessive observation, people may feel violated and stifled.
  • Inappropriate outcomes: the outcomes of your research project may also impact data subjects, for example when it induces discrimination, inappropriate bias, (physical or mental) health effects, but also when a lack of participation denies data subjects beneficial treatment effects.
  1. Outline which and how much (personal) data you use, how, and for what purposes
    This is usually one of the first steps of a privacy scan.
  2. Is there a project with similar data, purposes, methods and techniques?

    If there are projects that are the same or very similar to your project, you can reuse relevant work from their privacy scan, or if applicable, Data Protection Impact Assessment (DPIA). Naturally, you should adjust sections that do not apply in your own project. If you’re not sure of any existing projects similar to yours, ask your privacy officer or colleagues.

  3. List possible harm to data subjects and others
    Make an overview of the possible harm that could occur to data subjects and others if any of the risk scenarios occurs. These could be:
    • Physical harm
      Damage to someone’s physical integrity, such as when they receive the wrong medical treatment, end up as a victim of a violent crime, or develop mental health problems such a depression or anxiety.
    • Material harm
      Destruction or property or economic damage, such as financial loss, career disadvantages, reduced state benefits, identity theft, extortion, unjustified fines, costs for legal advice after a data breach, etc.
    • Non-material harm
      • Social disadvantage, for example damage to someone’s reputation, humiliation, social discrimination, etc.
      • Damage to privacy, for example a lack of control over their own data or the feeling of being spied on. This can happen when you collect a lot of personal data, or for a longer period of time (e.g., with surveillance, web applications).
      • Chilling effects: when someone stops or avoids doing something they otherwise would, because they fear negative consequences or feel uncomfortable.
      • Interference with rights: using personal data may violate other fundamental rights, such as the right to non-discrimination or freedom of expression.
  4. Estimate the risk level without safeguards
    After listing the possible harm, you should determine the risk level of each harm occurring. The risk level depends on:
    • the impact of the harm: what is the effect of each of the 4 scenarios above on the data subject and others (major, substantial, manageable, minor)?
    • the likelihood of the harm occurring: this depends on the circumstances of your project, such as: what and who can cause the harm to occur? How easily are mistakes made (e.g., how easily will an unauthorised person gain access)?

    It is important to first determine the risk level in case you do not implement any safeguards. This will be your risk level if all those safeguards fail. The higher this initial risk, the more you should do to mitigate it.

  5. Determine the safeguards you can use to mitigate the risks

    In many cases, it is possible to mitigate the risks by implementing organisational and technical measures. The higher the risks, the more and/or stricter measures should be in place to mitigate them. You can find some relevant measures in the Privacy by Design chapter, and on the example page in this chapter.

  6. Determine the residual risk after implementing safeguards
    By implementing safeguards, you are decreasing the likelihood of the risks occurring. If the risk is still unacceptably high, even after implementing safeguards, you should:
    • Modify your processing to reduce the impact of potential damages (for example, refrain from collecting specific data types), or
    • Implement more or better measures, reducing the likelihood of any harm occurring.

It will always be difficult to quantify risks. Therefore, it is largely the argumentation that can provide context in how the risk level was determined. The same harm may in one project be very unlikely to occur, while in another it may be very likely: context matters!