Audit modelPIA (CNIL) - Privacy Impact Analysis

These may include data protection authorities' guidelines, recommendations, sector-specific codes of conduct or the certifications provided for under the GDPR.

Personal data is any information relating to an identified or identifiable individual.

▶ Information can be of any kind: a text, an image, computer code, speech, whatever the medium.

▶ The information concerns one individual and one person only, and not a group of people. The information must not only designate the individual but be attributed to him or her. For example, a comment may not mention a person's name but concern that person alone. This is personal data.

▶ This means that it concerns a human being and not an animal, a company or an association. The right to protection of personal data is one of the fundamental human rights.

▶ The person must be identifiable, i.e. directly when the information relates directly to the person (for example, his or her surname and first name) or indirectly. This is the case when information cross-referenced with other information makes it possible to identify the person.

A retention period must be defined for each type of data and justified by the needs of the processing and/or legal constraints.

A distinction is made between current data and archived data, access to which is restricted to the parties concerned. A deletion mechanism must be implemented to archive current data or purge archived data at the end of its retention period.

The recipients correspond to all the entities that will have access to the data other than the public authorities (authorised third parties such as the data protection authorities, the criminal investigation police or the tax authorities, for example).

This includes the data controller's internal departments (the HR department, for example), subcontractors, joint controllers and other data controllers (commercial partners, for example).

Also specify who has access to the data. Sometimes recipients do not necessarily have access to the data.

Depending on the authorisation policy, only certain people may have unencrypted access to the information.

Commencez par la collecte directe auprès de la personne concernée ou indirecte et décrivez son parcours, les acteurs qu'elle rencontre, les utilisations qui en sont faites et sa fin de vie.

Vous devez décrire chaque processus mis en oeuvre (par exemple, la transmission à un prestataire, la collecte des données, la mise en archivage ou encore la suppression).

All purposes must be specified.

In other words, it must be sufficiently defined to allow all the necessary data protection guarantees to be implemented and to delimit the scope of the processing.

The purpose of the collection must be clearly and specifically identified. The purpose cannot be too vague or general.

The fact that the information must be precise does not mean that longer and more detailed specifications are always necessary or useful. In fact, a detailed description can sometimes even be counter-productive. This may be the case, for example, if the written, detailed specification of the purpose is too legalistic and provides warnings rather than useful information for those involved and other stakeholders.

Purposes must be explicit.

In other words, they must be clearly revealed, explained or expressed in an intelligible form.

The ultimate aim of this requirement is to ensure that the objectives are specified without any ambiguity as to their meaning or intention. What is meant must be clear and must leave no doubt or difficulty of understanding.

This contributes to transparency and predictability.

Purposes must be legitimate.

The requirement for legitimacy means that the objectives must "comply with the law" in the broadest sense.

This goes beyond the requirement of the legal basis for processing.

Within the limits of the law, other elements such as customs, codes of conduct, codes of ethics, contractual agreements, as well as the general context and facts of the business, may also be taken into account to determine whether a particular purpose is legitimate. This will include the nature of the underlying relationship between the controller and the data subjects, whether commercial or otherwise.

For example, a company segments its customers into two groups according to their ethnic profile: it charges higher prices to "white" customers than to "Asian" customers. In this case, the treatment gives rise to discriminatory practices, which are not legitimate.

Processing is lawful only if, and insofar as, at least one of the following 6 conditions is met:

▶ The data subject has consented to the processing of his or her personal data for one or more specific purposes;

▶ The processing is necessary for the delivery of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request;

▶ Processing is necessary for compliance with a legal obligation to which the controller is subject;

▶ Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

▶ Processing is necessary for the delivery of a task carried out in the public interest or in the exercise of official authority vested in the controller;

▶ Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.

The principle of minimisation stipulates that personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.

The right questions to ask:

• What data do I really need to achieve the objective set for my file?

• Have I made a clear distinction between mandatory and optional data?

• Is the data I am collecting objective?

• Will I be able, in complete transparency, to give any person who so requests access to all the data I hold on them?

• Am I collecting sensitive data? Do I have the right to collect this data? Is it justified in terms of my duties? Can I do otherwise?

The accuracy of data is provided for in Article 5.1 d) of the GDPR.

Quality control must be carried out on the data to ensure that it is accurate and meets the purpose of the processing.

In the event of inaccuracy, the data must be rectified or deleted without delay.

Quality processes must be put in place. For example, control of data by the user.

A retention period must be defined for each type of data, justified by the needs of the processing and/or legal constraints.

A distinction is made between current data and archived data, access to which is restricted to the parties concerned. A deletion mechanism must be implemented to archive current data or purge archived data at the end of its retention period.

Functional traces will also need to be purged, as will technical logs, which cannot be kept indefinitely.

Exemptions from the requirement to provide information are possible in the case of direct data collection "where, and insofar as, the data subject already has this information".

In the case of indirect data collection, information may not be provided:

• if providing this information is impossible or would require a disproportionate effort ;

• where national or EU law provides for exemption

• or in the case of an obligation of professional secrecy.

The information must be legible and comprehensible. It must include the following information

• The identity and contact details of the controller

• The list of purposes and associated legal bases

• Whether data collection is compulsory or optional

• The list of recipients or categories of recipients of the data and any transfers outside the EEA

• How long the data will be kept (or the criteria for determining this)

• The rights of the persons concerned

• The contact details of the organisation's data protection officer, if one has been appointed, or of a contact point for personal data protection issues

• The right to lodge a complaint with a supervisory authority

• the existence of automated decision-making, including profiling

And in the case of indirect data collection:

• The categories of personal data

• The source of the data

Data is collected indirectly when it is not connected to the data subjects. For example, through a third party or from a public database.

Consent is one of the six legal bases laid down by the GDPR for processing data.

It must meet the following conditions:

• Free: not consenting must not have negative consequences

• Specific: you must know what you are consenting to and you must consent for each purpose

• Informed: you must be fully informed about the processing before giving your consent, and at least about :

  - the identity of the controller

  - the purpose

  - the existence of the right to withdraw consent.

The information must then be supplemented by a personal data charter or privacy policy.

• Unambiguous: positive action by the individual. The individual must say YES! Consent boxes must not be ticked by default.

• Documented: consent must be proven.

Managing access rights involves asking the following questions:

• Can people access all their personal data via the current interfaces?

• Can they consult, in a secure manner, the traces of use that concern them?

• Can they download an archive of all their personal data?

For example, if you use Dastra to manage rights, you can indicate the process used (widget, request management, transmission of information via a secure platform, etc.).

The right to portability applies to automated processing operations based on a legal contract or consent.

It must provide for the possibility of recovering, in an easily reusable form, the personal data supplied by the data subject, so that it can be transferred to a third party service.

The right to erasure may be waived in the event of:

• exercise of the right to freedom of expression and information

• compliance with a legal obligation

• for reasons of public interest in the field of health

• archives, scientific or historical research and statistics if deletion makes processing impossible

• to establish, exercise or defend a legal claim.

Please note: connection data cannot be rectified by its very nature, nor can it be objected to on the grounds of a compelling reason on the part of the data controller.

If the processing is based on consent or a legal obligation, the right to object does not apply.

The processor is defined as the natural or legal person, public authority, department or other body which processes personal data on behalf of the controller.

The task of the processor is to carry out tasks on the instructions and under the responsibility of the controller.

In practice, this usually means the service providers involved in data processing. This naturally includes the data host or a call centre in the context of a customer service.

The GDPR lays down a number of obligations for the processor, particularly in terms of data security and compliance with the contractual clauses set out in Article 28 of the Regulation.

The contract must include at minima (more information here):

• duration,

• scope,

• purpose,

• documented processing instructions,

• prior authorisation in the event of recourse to a subcontractor, provision of all documentation providing proof of compliance with the GDPR,

• immediate notification of any data breach,

• etc.

Personal data is transferred when it is transferred from European territory to one or more countries outside the European Union. The data may be transferred by copying or moving it over a network or from one medium to another (e.g. from a computer hard drive to a server).

Example 1 - A company wishes to outsource the management of its customer telephone reminders to a company located in a country outside the European Union.

Example 2 - The employee data of a multinational is centralised by the parent company in the United States. The personal data of European employees is therefore transferred to the United States.

The tools used to manage transfers are:

• Standard contractual clauses (SCCs)

• Adequacy decision

• Binding corporate rules (BCRs)

• Administrative arrangement

• Derogation under Article 49 of the GDPR

• Code of conduct or certification mechanism

Operating mode consisting of one or more unitary actions on data media / carriers. The threat may be used, intentionally or not, by sources of risk, and may then cause a feared event.

An individual, internal or external to the organisation, acting accidentally or deliberately (e.g. IT administrator, user, external attacker, competitor), or a non-human source (e.g. water, hazardous materials, non-targeted computer virus) who may be the source of a risk.

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

The likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum:

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).

Operating mode consisting of one or more unitary actions on data media / carriers. The threat may be used, intentionally or not, by sources of risk, and may then cause a feared event.

An individual, internal or external to the organisation, acting accidentally or deliberately (e.g. IT administrator, user, external attacker, competitor), or a non-human source (e.g. water, hazardous materials, non-targeted computer virus) who may be the source of a risk.

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

The likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum:

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).

Operating mode consisting of one or more unitary actions on data media / carriers. The threat may be used, intentionally or not, by sources of risk, and may then cause a feared event.

An individual, internal or external to the organisation, acting accidentally or deliberately (e.g. IT administrator, user, external attacker, competitor), or a non-human source (e.g. water, hazardous materials, non-targeted computer virus) who may be the source of a risk.

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

The likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum:

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

The likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum :

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

The likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum:

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).

Severity represents the extent of a risk. It depends essentially on the detrimental nature of the potential impacts.

Negligible:

The people concerned will not be affected or may experience some inconvenience, which they will overcome without difficulty.Examples of impacts:- physical: temporary headaches- material: loss of time in repeating procedures or waiting to carry them out, re-use of data for targeted advertising of everyday consumer products, etc.,- moral: simple annoyance, feeling of invasion of privacy without real harm (commercial intrusion), etc.

Limited:

The people concerned could experience significant inconvenience, which they will be able to overcome despite some difficultiesExamples of impacts:- physical: minor physical ailment (e.g.: benign illness following non-compliance with contra-indications), defamation giving rise to physical reprisals, etc.- material: unscheduled payments (e.g.: unpaid invoices), etc.- moral: simple annoyance, feeling of invasion of privacy without any real prejudice (commercial intrusion), etc. material: unscheduled payments (e.g. erroneous fines), refusal of access to administrative or commercial services, targeted online advertising on an aspect of privacy that the person wished to keep confidential, etc. - moral: minor but objective psychological harm, feeling of invasion of privacy without irremediable harm, intimidation on social networks, etc.

Important:

The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficultiesExamples of impacts:- physical: serious physical ailment causing long-term damage (worsening of the state of health following poor treatment, or failure to comply with contraindications), alteration of physical integrity, etc.- material: embezzlement of money that is not irreversible (e.g. the loss of a car, the loss of a car, etc.). material: embezzlement of uncompensated money, targeted, one-off and non-recurring opportunities lost (mortgage, studies, work placements or employment, exam ban), loss of accommodation, loss of employment, etc. - moral: serious psychological condition (depression, phobia), feeling of invasion of privacy and irremediable harm, victim of blackmail, cyberbullying and mobbing, etc.

Maximum:

The people concerned could suffer significant, even irremediable, consequences that they may not be able to overcome. Examples of impacts:

• physical: long-term or permanent physical ailment, permanent impairment of physical integrity, death

• material: financial peril, major debts, inability to work, inability to find alternative accommodation, loss of evidence in legal proceedings, loss of access to vital infrastructure (water, electricity), etc.

• moral: long-term or permanent psychological illness, criminal sanction, abduction, loss of family ties, inability to go to court, change of administrative status and/or loss of legal autonomy (guardianship), etc.

he likelihood of a risk occurring. It depends essentially on the vulnerability of the media to the threats and the ability of the sources of risk to exploit them.

Negligible:

It does not seem possible that the selected risk sources could carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge and access code).

Limited:

It seems difficult for the selected sources of risk to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in an organisation's premises to which access is controlled by badge).

Important:

it seems possible for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the offices of an organisation to which access is controlled by a receptionist).

Maximum:

it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g. theft of paper media stored in the organisation's public hall).