Attention! As soon as you carry out a threshold analysis, we strongly advise you to get a data protection specialist or legal support on board. The data processing is then so sensitive that you need support to ensure an appropriate level of protection.

A threshold analysis is a form of risk assessment that is usually carried out before a data protection impact assessment (DPIA). As a reminder, if the data to be processed is very sensitive data (e.g. Article 9 data), a more extensive analysis in the form of a DPIA must be carried out in order to adequately protect the data.

There are no precise specifications for the number of risk classes. In practice, however, it has proven helpful to use four damage classes and four classes for the probability of occurrence (e.g. minor, manageable, substantial and major).

You can use the following table to analyse the individual processing operations.  

Templates

• Template Risk analysis (PDF-File)

Based on this matrix, measures can be taken to contain the risks. These include all technical and organisational measures (TOMs) that reduce either the damage or the probability of occurrence. The so-called "threshold value analysis" produces the following results: 

• All "green" processing operations are not subject to any risk, meaning that no special protective measures are required.
• Processing that is categorised in the yellow and orange fields should be examined more closely. Here it must be ensured whether the technical and organisational measures are sufficient to ensure adequate protection of the data. This includes, for example, a closer examination of the service providers involved and the processes relating to access authorisations and further processing.
• For processing operations that are categorised in the "red" fields, you should seek legal advice. The risks here are so high that an intensive review of all aspects is an absolute must. As a rule, further measures must be taken here, such as an intensive review of the processing by carrying out a data protection impact assessment.

Examples of protective measures

• Encrypting data can prevent the data from being used, even if it falls into the hands of unauthorised persons.
• Strict regulation of access rights can prevent data from falling into the hands of unauthorised persons.
• Regularly sensitising employees to security risks in their day-to-day work and providing them with appropriate training can help to reduce the risks of cyber attacks.

The results of the risk analysis and the measures taken should always be recorded in the data protection documentation.