Data Processing Context (DPC)
Scoring of the criteria
In order to define the score for DPC, the data controller should follow the next steps:
Step 1: Definition and classification of the types of personal data
a) Define the types of the personal data involved in the breach.
b) Classify the data in at least one of the four categories: simple, behavioural, financial, and sensitive data (these categories are explained in details in Annex 1). In this way a preliminary basic DPC score is obtained.
The list of data types described under the four categories is not exhaustive; however most data involved in real cases can be matched to at least one of the categories. Credentials are not considered as a specific data category and should be handled based on the type of data processed by the systems where they provide access to.
Step 2: Adjustment by contextual factors related to the data processing
c) Assess the occurrence of certain factors that could increase or decrease the basic score (data volume, special characteristics of the controllers or the individuals, invalidity/inaccuracy of data, public availability (before the breach), nature of data).
d) In case such factors exist, accordingly increase/decrease the basic score. Assessment Table 1 provides the adjustment scales per category of data, together with example cases that could lead to lower/higher scores.
Note: Even though, for the purpose of the methodology, four data categories are ranked, the categorization itself is not to be seen as a general ranking of the types of data at hand. Much more, additional contextual factors related to the data always need to be taken into account when regarding the processing of a certain type of data. Therefore, the basic score is to be seen just as a general indication of the criticality connected to a certain category of data and the DPC scoring of any data type can always vary from 1 to 4.
If the data matches more than one category the above mentioned steps have to be followed for each category applicable. In these cases the value to use for the overall calculation of the severity will be the highest score reached.
If the controller chooses to alter the DPC basic score (within the range of Assessment Table 1), the new score has to be supported by an explanation describing the particular contextual factors of the breach and their influence.