9.3.4 Data Protection Impact Assessment Risk Classification Matrix

To assess whether a risk is a high risk, you need to consider both the likelihood and severity of the possible harm. Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more than remote, but any significant possibility of very serious harm may still be enough to qualify as a high risk. Equally, a high probability of widespread but more minor harm, may still count as high risk.

You must make an objective assessment of the risks.The matrix below shows a structured way to assess risk. Your organisation may use a different method you can adapt for the same purpose.You may also want to consider your own corporate risks, such as the impact of regulatory action, reputational damage or loss of public.

RISK LIKELIHOOD 5 MEDIUM MEDIUM HIGH HIGH HIGH
4 LOW MEDIUM HIGH HIGH HIGH
3 LOW MEDIUM MEDIUM HIGH HIGH
2 LOW LOW MEDIUM MEDIUM MEDIUM
1 LOW LOW LOW LOW MEDIUM
RISK SCORE 1 2 3 4 5
RISK IMPACT