Assess and treat GDPR risks

For processing activities, you can record and assess GDPR risks before and after you have taken measures to minimize risks.

Create GDPR risk

In the first step, you record the basic data of the new GDPR risk and assess the risk before taking measures to minimize the risk.

Instructions:

Fill in the form:

Property	Description
Risk information
Label	Enter a name for the risk here.
Description	Enter a description of the risk.
Responsibility	Specify the employees or roles that are responsible for the risk here.
Risk group	Assign the risk to a risk group here.
Vulnerability	Indicate the vulnerabilities of the risk here.
Threat	Enter the threat of the risk here.
Gross risk assessment
Occurrence probability (gross)	Select the probability of the risk occurring if the risk is not treated.
Damage potential / amount (gross)	Select here what damage the risk could cause if the risk is not treated.
Further information
Business Unit	Reference an organizational unit in which the risk occurs or may occur, or for which the risk is relevant.
Attachment
File upload / attachment	Here you can attach a file.

Note: The form fields marked with * are required.

Enter further risk information via the Gross assessment property group:

Property	Description
Risk impact on confidentiality, integrity, availability and authenticity before measures	Here you assess the level of risk evaluation on the levels of confidentiality, integrity, availability and authenticity before the measures are implemented.
Reasons for the gross assessment	Here you can justify your gross assessment.

Result:

The GDPR risk was recorded for the processing activity.
You can view the data in the processing activity via the drop-down view Risk assessment view:

See also: Processing activity views
The risk is included in the overall risk assessment of the processing activity.

Note: In the case of a high overall risk assessment, Aeneis recommends carrying out a Data Protection Impact Assessment (DPIA) in the Default view of the processing activity in the section Note on the creation of a DPIA . See Data Protection Impact Assessments.
The risk is transferred to the gross risk matrix and the risk classes of the GDPR risks.

The following measures contribute to risk minimization in the context of a processing activity:

Data Protection Impact Assessments
Technical and organizational measures (TOMs)

Note: You can use templates to define technical and organizational measures (TOMs) that are automatically used in the respective processing activity. You can enter TOMs manually via the corresponding properties of the processing activity.
Risk controls
Risk tasks

After you have dealt with the GDPR risks through measures, carry out a net assessment of the risk via the risk properties.

Instructions:

Assess the risk via the Net assessment property group:

Property	Description
Damage potential / amount (net)	Select here what damage the risk could still cause after the measures have been implemented.
Occurrence probability (net)	Select here how likely it is that the risk will still occur after the measures have been implemented.
Risk impact on confidentiality, integrity, availability and authenticity after measures	Here you assess the level of risk evaluation on the levels of confidentiality, integrity, availability and authenticity after the measures have been implemented.
Risk class net	Aeneis classifies the net risk on the basis of the loss potential / amount (net) and the occurrence probability (net).
Reasons for net assessment	Here you can justify your net assessment.

Result:

The result of your risk treatment is transferred to the corresponding evaluations, such as the risk matrix.