Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From privacy-impact-assessment-skills
Provides DPIA risk scoring with ENISA/ISO 29134-aligned likelihood-severity matrix, residual risk calculation, and risk appetite thresholds for GDPR assessments.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-impact-assessment-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-impact-assessment-skills:dpia-risk-scoringThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Art. 35(7)(c) GDPR requires a DPIA to include "an assessment of the risks to the rights and freedoms of data subjects." This skill provides a quantifiable risk scoring framework that converts qualitative privacy risks into comparable, prioritised scores supporting mitigation decisions.
Provides DPIA risk scoring with ENISA/ISO 29134-aligned likelihood-severity matrix, residual risk calculation, and risk appetite thresholds for GDPR assessments.
Quantify risk using likelihood and impact, apply severity ratings, and prioritize mitigations. Use when prioritizing threats, allocating security budget, and communicating risk to leadership.
Conduct Privacy Impact Assessments (PIA) to evaluate privacy risks and compliance for data processing activities.
Share bugs, ideas, or general feedback.
Art. 35(7)(c) GDPR requires a DPIA to include "an assessment of the risks to the rights and freedoms of data subjects." This skill provides a quantifiable risk scoring framework that converts qualitative privacy risks into comparable, prioritised scores supporting mitigation decisions.
| Level | Score | Description | Examples |
|---|---|---|---|
| Negligible | 1 | Minor inconvenience, easily recoverable | Temporary inability to access non-essential service |
| Limited | 2 | Significant inconvenience, recoverable with effort | Targeted advertising based on inferred preferences |
| Significant | 3 | Serious consequences, difficult to recover from | Financial loss, discrimination, reputational harm |
| Maximum | 4 | Irreversible or very difficult to recover from | Identity theft, physical safety risk, loss of employment |
| Level | Score | Description | Indicators |
|---|---|---|---|
| Negligible | 1 | Unlikely given current controls | Strong technical controls, limited access, encrypted at rest and in transit |
| Limited | 2 | Possible but requires specific conditions | Some access controls, partial encryption, known but unproven attack vectors |
| Significant | 3 | Probable given known threat landscape | Weak controls in specific areas, prior incidents in sector, active threat actors |
| Maximum | 4 | Near-certain or already occurring | No controls, known vulnerabilities, prior breach of similar system |
Severity → Negligible(1) Limited(2) Significant(3) Maximum(4)
Likelihood ↓
Maximum(4) 4(M) 8(H) 12(VH) 16(VH)
Significant(3) 3(L) 6(M) 9(H) 12(VH)
Limited(2) 2(L) 4(M) 6(M) 8(H)
Negligible(1) 1(L) 2(L) 3(L) 4(M)
Risk Levels: L=Low(1-3), M=Medium(4-6), H=High(7-9), VH=Very High(10-16)
When residual risk remains High or Very High after all feasible mitigation measures, the controller must consult the supervisory authority under Art. 36(1) before commencing processing.