Overview
Conduct a privacy-specific risk assessment focusing on risks to PII principals per ISO 27701 Clause 5.4. Unlike a standard ISO 27001 risk assessment that measures impact on the organization, this skill measures impact on individuals: physical harm, financial loss, discrimination, emotional distress, identity theft, and loss of autonomy. The skill defines privacy impact criteria, identifies privacy threats per processing activity and PII principal category, scores risks on a 5x5 privacy impact matrix, and plans treatment using privacy-specific options (minimize, pseudonymize, anonymize, consent, purpose limitation, encryption, deletion).
What It Covers
- Privacy Impact Criteria — Define an impact scale focused on harm to individuals (physical, financial, discriminatory, reputational, emotional, autonomy, identity theft, social disadvantage) distinct from organizational impact
- Privacy Threat Identification — Catalog threats per processing activity: unauthorized access, excessive collection, purpose creep, re-identification, unauthorized disclosure, denial of rights, data breach, and more
- 5x5 Privacy Risk Matrix — Score each risk on likelihood (1-5) and privacy impact on individuals (1-5), producing a risk level that prioritizes harm to data subjects
- PII Principal Coverage — Ensure every category of individual (patients, employees, visitors, applicants) has at least one risk entry in the register
- Privacy-Specific Treatment — Plan mitigation using privacy controls: data minimization, pseudonymization, anonymization, consent strengthening, purpose limitation, encryption, and timely deletion
Example Conversation
You: We need to conduct a privacy risk assessment for MedSecure Health Technologies. We already have the PIMS scope and PII inventory completed. Our main concern is patient health data — a breach there would be catastrophic for individuals. But we also need to assess risks to employees and website visitors.
Agent: I’ve loaded your PIMS scope and PII inventory. I can see you have four PII principal categories: patients, employees, job applicants, and website visitors. Let me start by defining the privacy risk methodology, then we’ll identify threats for each group.
First, I need to distinguish privacy impact from organizational impact. For this assessment, impact is measured by harm to the individual, not to MedSecure. Let me draft the methodology with the 8 privacy impact categories:
- Physical harm (e.g., a patient’s condition is exposed, leading to denial of insurance or treatment)
- Financial loss (e.g., employee bank details stolen)
- Discrimination (e.g., health data used for discriminatory decisions)
- Reputational damage to individuals (e.g., patient’s sensitive diagnosis made public)
- Emotional distress (e.g., anxiety from learning personal health data was breached)
- Loss of autonomy (e.g., inability to control how health data is shared)
- Identity theft (e.g., SSN/CPF from employee records used fraudulently)
- Social disadvantage (e.g., denied services based on disclosed health conditions)
check_privacy_impact_criteriaonoutput/Privacy-Risk-Methodology.md:Privacy impact categories: 8/8 (100%) [OK] Physical harm [OK] Financial loss [OK] Discrimination [OK] Reputational damage to individuals [OK] Emotional distress [OK] Loss of autonomy [OK] Identity theft [OK] Social disadvantage RESULT: PASSNow let me build the risk register. For patients, the highest-impact risks involve unauthorized disclosure of health data and data breaches. Let me walk through the top risks I’ve identified:
- PR-001 — Unauthorized access to patient health records by internal staff without clinical need. Likelihood: 3, Privacy Impact: 5 (physical harm, discrimination). Risk level: High (15).
- PR-002 — Data breach exposing patient diagnoses and medications. Likelihood: 2, Privacy Impact: 5 (identity theft, emotional distress, discrimination). Risk level: High (10).
- PR-003 — Purpose creep — patient data used for MedSecure marketing analytics. Likelihood: 2, Privacy Impact: 4 (loss of autonomy). Risk level: Medium (8).
For employees:
- PR-006 — Identity theft from exposed SSN/CPF in HR records. Likelihood: 2, Privacy Impact: 5. Risk level: High (10).
I’ve documented 12 risks total covering all four PII principal categories. Let me validate.
check_privacy_risk_completenessonoutput/Privacy-Risk-Assessment.md:Entries analyzed: 12 PII principal categories in scope: patient, employee, applicant, visitor PII principal coverage: 100% RESULT: PASSAll 12 risks have complete fields and every PII principal category is covered. Treatment plans prioritize data minimization and encryption for health data, and access restriction with pseudonymization for employee records.
Sample Output Excerpt
Below is a representative excerpt from the Privacy Risk Assessment showing the risk register with privacy impact scored on harm to individuals.
Privacy Risk Assessment — MedSecure Health Technologies
Privacy Risk Register
| Risk ID | Processing Activity | PII Principals | Threat | Privacy Impact Category | L | PI | Risk Level | Risk Owner | Treatment | Treatment Details | Residual Risk |
|---|---|---|---|---|---|---|---|---|---|---|---|
| PR-001 | Patient health records processing | Patients | Unauthorized access by internal staff without clinical need | Physical harm, Discrimination | 3 | 5 | High (15) | CISO | Access restriction | Implement purpose-based access controls — staff can only view patient records tied to active support tickets. Quarterly access reviews. | Medium (6) |
| PR-002 | Patient health records processing | Patients | Data breach exposing diagnoses and medications | Identity theft, Emotional distress | 2 | 5 | High (10) | CISO | Encryption, Minimize | Encrypt all health data at rest (AES-256) and in transit (TLS 1.3). Minimize data retained — purge records 30 days post-contract. | Low (4) |
| PR-003 | Patient health records processing | Patients | Purpose creep — data reused for internal analytics | Loss of autonomy | 2 | 4 | Medium (8) | DPO | Purpose limitation | Technical controls to prevent patient data access from analytics pipelines. Data segregation between processor and controller environments. | Low (3) |
| PR-004 | Patient health records processing | Patients | Re-identification of anonymized research datasets | Discrimination, Social disadvantage | 1 | 5 | Medium (5) | DPO | Anonymize | Apply k-anonymity (k>=5) and differential privacy to any research outputs. Prohibit linkage with external datasets. | Low (2) |
| PR-005 | Patient health records processing | Patients | Lack of transparency — patients unaware MedSecure processes their data | Loss of autonomy | 3 | 3 | Medium (9) | DPO | Consent | Work with provider clients to ensure privacy notices disclose MedSecure as sub-processor. Publish processor privacy notice. | Low (3) |
| PR-006 | Employee HR management | Employees | Identity theft from SSN/CPF exposure | Identity theft, Financial loss | 2 | 5 | High (10) | HR Director | Pseudonymize, Encryption | Pseudonymize SSN/CPF in Workday — display only last 4 digits. Encrypt HR database at rest. Restrict access to payroll team only. | Low (4) |
| PR-007 | Employee HR management | Employees | Unauthorized disclosure of performance reviews | Reputational damage, Emotional distress | 2 | 3 | Medium (6) | HR Director | Access restriction | Restrict performance data to direct manager chain and HR. Audit log all access. | Low (2) |
Risk Distribution Summary
| Risk Level | Count | Percentage |
|---|---|---|
| Critical (20-25) | 0 | 0% |
| High (10-19) | 3 | 25% |
| Medium (5-9) | 5 | 42% |
| Low (2-4) | 3 | 25% |
| Very Low (1) | 1 | 8% |
Extension Tools
check_privacy_risk_completeness
Validates each entry in the privacy risk register for completeness and checks PII principal coverage across the PIMS scope.
| Check | Severity | What It Validates |
|---|---|---|
| Risk ID format | ERROR if invalid | Each entry has a PR-NNN format identifier |
| Processing activity | ERROR if missing | Activity description is present (not blank or placeholder) |
| PII principal category | ERROR if missing | Affected individuals are identified |
| Threat description | ERROR if missing | Privacy threat is described with sufficient detail |
| Privacy impact category | WARNING if missing | Impact type is specified (physical harm, financial loss, etc.) |
| Likelihood score (1-5) | ERROR if invalid | Score is a number between 1 and 5 |
| Privacy impact score (1-5) | ERROR if invalid | Score is a number between 1 and 5 |
| Risk level calculation | ERROR if mismatch | Recorded risk score equals likelihood x privacy impact |
| Risk owner | WARNING if missing | Person accountable for treatment is assigned |
| Treatment decision | ERROR if missing | Treatment approach is documented |
| PII principal coverage | WARNING per gap | Every PII principal category from the PIMS scope has at least one risk entry |
Optionally accepts a path to the PIMS scope document for cross-checking PII principal categories.
check_privacy_impact_criteria
Validates that the risk methodology document defines privacy-specific impact criteria distinct from standard infosec organizational impact.
| Check | Severity | What It Validates |
|---|---|---|
| Physical harm | ERROR if many missing | Impact category is defined in methodology |
| Financial loss | ERROR if many missing | Impact category is defined in methodology |
| Discrimination | ERROR if many missing | Impact category is defined in methodology |
| Reputational damage to individuals | ERROR if many missing | Specifically references harm to individuals, not organization |
| Emotional distress | ERROR if many missing | Impact category is defined in methodology |
| Loss of autonomy | ERROR if many missing | Impact category is defined in methodology |
| Identity theft | ERROR if many missing | Impact category is defined in methodology |
| Social disadvantage | ERROR if many missing | Impact category is defined in methodology |
| Privacy-specific impact scale | ERROR if missing | Impact criteria focus on harm to individuals, not organizational impact |
| Distinction from organizational impact | WARNING if missing | Methodology explicitly distinguishes privacy impact from infosec impact |
| Likelihood scale | ERROR if missing | 1-5 likelihood scale is defined |
| Risk matrix | WARNING if missing | Visual 5x5 risk matrix is included |
| Acceptance criteria | ERROR if missing | Risk acceptance thresholds are defined |
| Treatment options | ERROR if missing | Privacy-specific treatment options are listed |
| Roles and responsibilities | WARNING if missing | Accountability for risk management is defined |
| Review frequency | WARNING if missing | Periodic reassessment schedule is stated |
Getting Started
To conduct an effective privacy risk assessment, prepare the following:
Complete prerequisite skills — The agent loads the PIMS Scope Statement and PII Processing Inventory to identify PII principal categories, processing activities, and data flows. Complete those skills first for the best results.
Understand the privacy perspective — This assessment measures harm to individuals, not to your organization. A data breach that costs your company $1M in fines is an organizational risk. The same breach causing a patient to be denied insurance because their diagnosis was exposed is a privacy risk. Keep this distinction in mind.
Know your PII principal categories — List every group of individuals whose data you process: patients, employees, website visitors, job applicants, minors, vulnerable individuals. The agent will ensure every category has at least one risk entry.
Existing ISMS risk assessment — If you have already completed the ISO 27001 risk assessment, the agent can reference it to extend your existing methodology with privacy-specific criteria rather than starting from scratch.
Incident history — If your organization has experienced privacy incidents, data breaches, or data subject complaints, share that context. Real incidents inform more accurate likelihood scores.
Regulatory requirements — Certain regulations (GDPR, LGPD) require Data Protection Impact Assessments (DPIAs) for high-risk processing. This risk assessment can serve as the foundation for those DPIAs.
The skill produces two documents: output/Privacy-Risk-Methodology.md (scoring criteria and methodology) and output/Privacy-Risk-Assessment.md (the full privacy risk register with treatment plans).