Overview of the methodology

Criteria

The main criteria taken into account while assessing the severity of a personal data breach are:

  • Data Processing Context (DPC): Addresses the type of the breached data, together with a number of factors linked to the overall context of processing.
  • Ease of Identification (EI): Determines how easily the identity of the individuals can be deduced from the data involved in the breach.
  • Circumstances of breach (CB): Addresses the specific circumstances of the breach, which are related to the type of the breach, including mainly the loss of security of the breached data, as well as any involved malicious intent.

Calculation of the severity

Based on the above criteria, the approach of this methodology is the following:

  • DPC is at the core of the methodology and evaluates the criticality of a given data set in a specific processing context.
  • EI is a correcting factor of the DPC. The overall criticality of a data processing can be reduced depending on the value of EI. In other words, the lower the ease of identification is, the lower gets the overall score. Therefore, the combination of the EI and DPC (multiplication) gives the initial score of the severity (SE) of the data breach.
  • CB quantifies specific circumstances of the breach that may be present or not in a particular situation. So, when present, CB can only add to the severity of a specific breach. For this reason the initial score can be further adjusted by the CB.

Thus, the final score of the severity assessment can be extracted using the following formula:

SE = DPC x EI + CB

In this way, in order for the controller to get the severity result, all three criteria should be scored.

The result belongs to a certain range of values which corresponds to one of the four severity levels: low, medium, high and very high7. At the end of the assessment, other possibly relevant criteria (number of individuals and unintelligibility of data) that have not been considered in the methodology are evaluated and flagged to the competent authority when applicable.

It is essential to bear in mind that all scores and/or rankings used in this methodology were solely set for the use within the severity formula. They are not meant to bear any significance to a conclusion about the weighting or ranking of certain types of data in general, let alone an indication to any legal consequences or precedents as to the use of this data for other purposes.

Last modified: Saturday, 20 February 2021, 10:27 PM