1. Defining the context – In the first stage, the context of processing is defined and the following information is stated or described:
- collection of personal data,
- purpose of the processing,
- data movement,
- method(s) of obtaining the data,
- method and means of data processing (used equipment, networks, human resources, etc.),
- entities involved in the processing (controllers, processors, users, etc.),
- storage period.
2. Risk analysis – In the second phase, the threats (unwanted outcomes) are identified, and the probability and impact (consequence) of the realization of each risk is determined.
Risk is expressed as a function of the probability that the undesired outcome (threat) will occur and the impact (consequence) of the undesired outcome if it occurs.
Risk = (Probability of the threat occurring) x (Degree of impact)
The impact can be:
- Low, when individuals can face several minor inconveniences, which they will overcome without a problem (for example: lost time to re-enter data, anxiety, irritation, etc.)
- Medium, when natural persons can face significant inconveniences, which they will be able to overcome despite certain difficulties, (for example: additional costs, refusal of access to certain business services, fear, lack of understanding, stress, minor physical ailments etc.)
- High, when natural persons can face significant consequences, which they should be able to overcome, but with serious difficulties, (for example: misappropriation of funds, blacklisting by financial institutions, damage to property, loss of employment, subpoena, deterioration of health, etc.)
- Very high, when natural persons can face significant and even irreversible consequences, which they are unlikely to be able to overcome (for example: inability to work, long-term psychological or physical illness, death, etc.) .
The risk assessment is carried out according to the basic principles of personal data protection.
3. Risk management – The third phase should include protective measures, security measures and mechanisms designed to reduce the risk to an acceptable level, ensure the protection of personal data and demonstrate compliance with the regulations for the protection of personal data.
The measures, just like the risk assessment, should be divided according to the basic principles of personal data protection.
4. Compilation of a report from an implemented EPA – The controller documents all stages of implementation of the EPA, after which he prepares a report.
The report of the implemented PPE contains in particular: description of the processing process, internal and external persons involved in the process of implementation of the PPE, risk analysis, defined risk management measures, summary/conclusion, action plan, opinion of the officer and other persons involved in the process, approval of the PVZLP by the responsible person at the controller.