DPO: Perform an impact assessment – PIA

APM classifies processing according to 3 status:

  • No risk
  • Potiential risk, PIA recommended
  • Risky, PIA mandatory

In the third case , and potentially in the second case , you need to perform a Privacy impact assessment (PIA).

To perform an impact assessment, you need to select a processing in the “PROCESSING” menu and select “Impact assessment: Start an assessment”.

The impact assessment is performed for a given version of the processing. When you modify and update the processing, the existing impact assessment are copied in the new version of the processing.

The impact assessment methodology implementing in APM is the one that the CNIL describes in its Methodology for Privacy Risk management.

The methodology relies on a list of feared events (illegitimate access, loss of data…) assessed according to 2 criteria:

  • Likelihood: Does the event have a high probability of being carried out or not?
  • Severity: if the event happens, is it significant or not?

Each criterion is rated according to 4 levels:

  • Insignificant
  • Limited
  • Important
  • Maximum

Finally, the feared events are classified in a chart with 2 axes: likelihood and severity. The more the event is at the top of the graph, the more the event is risky. In the case of a risky event, it may be necessary to redesign the processing (data security, list of personal data collected…) in order to reduce the risk.