APM classifies processing according to 3 status:
- No risk
- Potiential risk, PIA recommended
- Risky, PIA mandatory
In the third case , and potentially in the second case , you need to perform a Privacy impact assessment (PIA).
To perform an impact assessment, you need to select a processing in the “PROCESSING” menu and select “Impact assessment: Start an assessment”.
The impact assessment is performed for a given version of the
processing. When you modify and update the processing, the existing
impact assessment are copied in the new version of the processing.
The impact assessment methodology implementing in APM is the one that the CNIL describes in its Methodology for Privacy Risk management.
The methodology relies on a list of feared events (illegitimate access, loss of data…) assessed according to 2 criteria:
- Likelihood: Does the event have a high probability of being carried out or not?
- Severity: if the event happens, is it significant or not?
Each criterion is rated according to 4 levels:
Finally, the feared events are classified in a chart with 2 axes:
likelihood and severity. The more the event is at the top of the graph,
the more the event is risky. In the case of a risky event, it may be
necessary to redesign the processing (data security, list of personal
data collected…) in order to reduce the risk.