Risk analysis isn’t an activity being able to produce deterministic outcomes, although it is hopefully based on quantitative approaches. Therefore, provided the necessarily empiric approach, we usually refer it as based on a pseudo-quantitative method. This consideration aims to overcome either deficiencies out of a pure qualitative approach or a pure quantitative one. In fact the former, based on simple risk level rating, is only useful to intuitively identify priority levels but is scarcely helpful to decision-making process. On the opposite side the latter, based on pure quantitative algorithm, implies to adopt statistical models and to define level of significance quite difficult to be identified, provided the low volumes of data, and even more to be maintained over time. It seems ultimately appropriate to consider the effectiveness of an approach based on probability levels for events, on the severity of impacts and on effectiveness of controls, all of them appropriately classified and, through a formula directly linking the first two factors and inversely the third, can identify an absolute number referable to the risk value.
This reveals that risk evaluation is always based on an empirical approach but moreover it should be clear that any evaluation must be able to reveal the calculation on which it is based, in order to define, in any case, the reliability of evaluations, even over time. Moreover such results must be integrated into a decision-making process based on assessment of opportunities in which economic impacts are compared to expected benefits. These last considerations indeed admit that, on one side, a risk calculation model, according to the identified parameters, must be identified to provide a result as reliable as possible, on the other side this model can only be a support to decision-making process, managed with responsibility and autonomy by those who have spending power, in order to identify which risks must be remediated and the way to.
In line with the spirit of GDPR, inspired by best practices, the suggested solution for the risk analysis may be a quantitative evaluation with conventional values of the parameters considered in the risk evaluation, such as impact, likelihood and vulnerability, risk calculation criteria, acceptance threshold. The values (eg. from 1 to 10 or others) show the risk as a numerical value to be compared with the defined acceptance threshold, considering the threats to personal data treatments. In summary, the Privacy Impact Assessment (PIA) should be accompanied by a formal methodology, which allows the comparison of results over time.
In GDPR, where the risk and data protection impact assessment are mentioned, is clear the need to adopt a trasparent and quantative evaluation criteria for risk assessment. If the Privacy Impact Assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.