Skip to main content
Version: 2025-02-02

Privacy Impact Assessment

Privacy Impact Assessment

Unicis Platform Plan

Availability on Premium & Ultimate subscription plan.

The Privacy Impact Assessment module helps organizations evaluate and manage privacy risks related to the processing of personal data. It assists in complying with privacy regulations such as GDPR and ensures that risks are mitigated for individuals' rights and freedoms.

When no assessments are initiated, a message indicating no records will be displayed.
To create a Privacy Impact Assessment, follow these steps:

  1. Navigate to the All Tasks menu.
  2. If no existing task is available, create one or select an existing task.
  3. Navigate to Privacy Impact Assessment tab and click the Register Privacy Impact Assessment button.
  4. Follow the guided steps.

Probability of the Risk

The Probability of the Risk refers to the likelihood that a specific risk will materialize. This assessment evaluates how often a potential risk event could occur, ranging from extremely rare instances to events that are highly predictable or frequent. Understanding the probability helps organizations prioritize risk management efforts and allocate resources effectively.

  • Rare: The risk is highly unlikely to occur. It might happen only in exceptional circumstances and would require an unusual combination of events to materialize. Probability is negligible.
  • Unlikely: The risk is not expected to happen under normal conditions but could occur in specific and infrequent situations. Probability is low.
  • Possible: The risk might occur under normal conditions. There is a moderate likelihood, and it is neither rare nor frequent.
  • Probable: The risk is likely to occur in most circumstances. The event is expected to happen regularly and is predictable.
  • Severe: The risk is almost certain to occur. It is highly predictable and can happen frequently with significant impact when it does.

Security of the Risk

The Security of the Risk refers to the potential impact or severity of a risk event in relation to data privacy. This assessment evaluates the consequences of a loss of confidentiality, integrity, or availability of personal data and how it affects both the organization and the data subjects. Assessing the security of the risk helps organizations identify the level of harm and take appropriate mitigation measures.

  • Insignificant: The loss of confidentiality and integrity of personal data, where processing has minimal operational impact and negligible costs, and does not notably affect the data subject's business or finances.
  • Minor: The loss of confidentiality and integrity of personal data, where processing has a noticeable but limited operational impact, some costs, and may lead to a minor financial impact for the data subject, but is unlikely to significantly affect their rights.
  • Moderate: The loss of confidentiality and integrity of personal data, where processing has a substantial operational impact, very costly, and may cause considerable business or financial harm to the data subject, but does not involve special categories or sensitive data with a major rights impact.
  • Major: The loss of confidentiality and integrity of personal data, where processing causes severe operational disruption, highly damaging and extremely costly to both the organization and data subjects. It could involve special categories (like criminal history or sensitive data), leading to significant risks to the rights and freedoms of data subjects.
  • Extreme: The loss of confidentiality and integrity of personal data, where processing results in complete operational failure and is unsurvivable, with potential life-threatening consequences or severe impacts on personal freedoms and rights of the data subjects.

Risk Levels

The Risk Levels combine the Probability of the Risk and the Security of the Risk to determine the overall severity of the risk. Each level is associated with a numeric range, percentage, and color-coded indicator to provide clarity on the urgency and required actions for mitigation.

  • Low Risk (1–3):

    • Percentage: 1%–12% likelihood and impact combined.
    • Indicator: 🟢 Green
    • Description: Represents risks that are rare or unlikely and have an insignificant or minor impact. These risks require minimal or no immediate action, as they pose little to no threat to data privacy or organizational operations.

  • Medium Risk (4–9):

    • Percentage: 16%–36% likelihood and impact combined.
    • Indicator: 🟡 Yellow
    • Description: Represents risks that are possible and have a moderate impact. These risks should be monitored and addressed with reasonable measures to prevent escalation or harm.

  • High Risk (10–16):

    • Percentage: 40%–64% likelihood and impact combined.
    • Indicator: 🟠 Orange
    • Description: Represents risks that are probable and have a major impact. These risks require prompt and proactive management, as they pose a significant threat to the rights and freedoms of data subjects or organizational operations.

  • Extreme Risk (20–25):

    • Percentage: 80%–100% likelihood and impact combined.
    • Indicator: 🔴 Red
    • Description: Represents risks that are severe in both probability and impact. These risks demand immediate action to mitigate, as they can result in catastrophic harm to data subjects or cause substantial operational, financial, or legal consequences for the organization.

Results

info

Below is an illustration of how the risk assessment results are presented.

PIA Results PIA Results

Dashboard

A dashboard is provided for managing Privacy Impact Assessments assigned via tasks. The dashboard gives an overview of:

  • Register of Procedures
  • Status (To Do/In Progress/Completed)
  • Confidentiality and Integrity risk in percentage
  • Availability risk in percentage
  • Transparency and data minimization risk in percentage
  • Actions (Edit/Delete)

Add

A Privacy Impact Assessment can only be added via the Tasks edit mode using the Privacy Impact Assessment tab.

  • Open a task and navigate to the Privacy Impact Assessment tab.
  • Follow the guided instructions and click Next to proceed.
  • Required fields are marked with a red star.
  • Once the assessment is completed, it will be available in the dashboard for review.
info

Each step in the process is numbered and displayed at the top of the dialog (e.g., 1/3), allowing you to track progress.

Steps:

  1. Data processing
  2. Confidentiality and Integrity
  3. Availability
  4. Transparency, and data minimization
  5. Results
  6. Corrective measures
note

Each step includes helpful info and warning messages for additional guidance and context!

Edit

You can edit an existing Privacy Impact Assessment from the dashboard by clicking the Edit action.

Delete

To delete a Privacy Impact Assessment, click the Delete button on the dashboard.

caution

You will be prompted to confirm the deletion. Note that deleting an assessment will not remove the associated task.

Activity Logs

Activity logs can be accessed by opening the associated ticket and navigating to the Audit Logs section. Click on Privacy Impact Assessment Audit Logs to view changes.

The logs include details on:

  • Assessment Creation
  • Updates
  • Deletion