In the context of Data Protection Impact Assessment (DPIA) the risk levels are:
High: High risk signifies that the activity or process being assessed poses a significant threat to individuals' rights and freedoms or to the organization itself. It typically implies that there is a substantial likelihood of severe harm or adverse consequences if risks are not adequately addressed. High-risk processing activities may involve sensitive personal data, large-scale data processing, or processing activities with a high potential for data breaches or misuse. Organisations should prioritise mitigating high-risk scenarios and implementing robust risk reduction measures.
Medium: Medium risk suggests that the activity or process has the potential to cause harm or adverse consequences, but the likelihood or severity of these consequences is not as significant as in high-risk scenarios. Medium-risk situations may require measures to mitigate the identified risks, but these measures may not need to be as extensive or urgent as those for high-risk situations. Medium-risk processing activities may involve personal data that is not highly sensitive or situations where the potential impact on individuals is moderate.
Low: Low risk indicates that the activity or process is unlikely to result in significant harm or adverse consequences to individuals' rights and freedoms or the organisation. Low-risk scenarios may still require some risk management measures, but these are typically less extensive and urgent than for high or medium risk situations. In the context of data protection, low-risk processing activities may involve non-sensitive personal data or activities with minimal potential for harm.