Guides privacy audit risk assessment: develops risk universe, scores inherent/residual risks, evaluates control effectiveness, enables risk-based planning, heat maps, appetite alignment, and prioritization.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Privacy audit risk assessment is the systematic process of identifying, evaluating, and prioritising privacy risks to determine audit scope, frequency, and resource allocation. A risk-based approach ensures that audit effort is directed at areas of greatest exposure, aligning with the accountability principle under GDPR Article 5(2) and the proportionality requirements of ISO 19011:2018.
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Privacy audit risk assessment is the systematic process of identifying, evaluating, and prioritising privacy risks to determine audit scope, frequency, and resource allocation. A risk-based approach ensures that audit effort is directed at areas of greatest exposure, aligning with the accountability principle under GDPR Article 5(2) and the proportionality requirements of ISO 19011:2018.
The International Internal Audit Standards (IIA Standard 2010) require the chief audit executive to establish a risk-based plan to determine the priorities of the internal audit activity. In the privacy domain, this means evaluating processing activities, data categories, transfer mechanisms, and regulatory exposure to identify where compliance failures would cause the greatest harm.
The privacy audit risk universe encompasses all auditable entities within the organisation's privacy programme:
| Risk Domain | Auditable Entities | Example Risks |
|---|---|---|
| Data Subject Rights | DSAR processing, consent management, automated decisions | Late DSAR responses, invalid consent, no human review for automated decisions |
| Data Processing | Processing registers, lawful basis documentation, purpose limitation | Undocumented processing, incorrect lawful basis, purpose creep |
| Data Transfers | International transfers, SCCs, BCRs, adequacy reliance | Transfer without safeguards, outdated SCCs, Schrems II non-compliance |
| Data Security | Technical controls, access management, encryption | Unauthorised access, unencrypted personal data, excessive permissions |
| Breach Management | Detection, notification, documentation, remediation | Late notification (>72 hours), inadequate forensics, poor remediation |
| Vendor Management | Processor contracts, sub-processor oversight, due diligence | Missing Article 28 clauses, no sub-processor approval, inadequate DPA |
| Privacy Governance | DPO independence, training, policies, ROPA | DPO conflict of interest, outdated policies, incomplete ROPA |
| Special Categories | Biometric data, health data, children's data | Missing DPIA, inadequate safeguards, no explicit consent |
| Factor | Weight | Scale (1-5) | Description |
|---|---|---|---|
| Data Volume | 20% | 1=<1K records, 5=>1M records | Volume of personal data processed |
| Data Sensitivity | 25% | 1=basic contact, 5=special category/biometric | Sensitivity of data categories involved |
| Regulatory Exposure | 25% | 1=single jurisdiction, 5=global multi-regime | Number and stringency of applicable regulations |
| Processing Complexity | 15% | 1=simple storage, 5=AI/automated decisions | Complexity of processing operations |
| External Sharing | 15% | 1=internal only, 5=multiple third-party transfers | Extent of data sharing with external parties |
| Rating | Score | Definition |
|---|---|---|
| Effective | 1 | Controls designed and operating effectively; no significant deficiencies |
| Partially Effective | 2 | Controls exist but have gaps in design or operation |
| Ineffective | 3 | Controls absent, poorly designed, or not operating as intended |
Residual Risk Score = Inherent Risk Score x Control Effectiveness Score
| Residual Score | Rating | Audit Priority |
|---|---|---|
| 1.0 – 2.0 | Low | Audit every 3 years |
| 2.1 – 3.5 | Medium | Audit every 2 years |
| 3.6 – 4.5 | High | Audit annually |
| 4.6 – 5.0 | Critical | Audit semi-annually; continuous monitoring |
| Risk Category | Risk Appetite | Rationale |
|---|---|---|
| Regulatory compliance | Very Low | Zero tolerance for material non-compliance with GDPR, CCPA, or sector-specific regulation |
| Data subject harm | Very Low | Protecting individuals is the primary objective of the privacy programme |
| Operational disruption | Low | Privacy controls must not unduly impede business operations |
| Reputational | Low | Privacy incidents erode customer trust and brand value |
| Financial (penalties) | Very Low | Maximum GDPR penalty: EUR 20M or 4% global turnover |
The risk assessment directly feeds the annual privacy audit plan:
| Input | Output |
|---|---|
| Residual risk scores by auditable entity | Prioritised list of audit engagements |
| Risk appetite thresholds | Minimum audit frequency per entity |
| Resource constraints | Audit resource allocation model |
| Regulatory developments | Emerging risk adjustments (e.g., AI Act, new state laws) |
| Prior audit findings | Increased frequency for entities with unresolved high/critical findings |
| Management requests | Ad-hoc audit engagements for new processing activities or incidents |
| Likelihood ↓ / Impact → | Low Impact | Medium Impact | High Impact | Critical Impact |
|---|---|---|---|---|
| Very Likely | Medium | High | Critical | Critical |
| Likely | Low | Medium | High | Critical |
| Possible | Low | Medium | High | High |
| Unlikely | Low | Low | Medium | High |
| Rare | Low | Low | Low | Medium |