Risk Register
Privacy and data protection risk register — 13 risks
Open Risks
9
Critical
1
High
4
Mitigated
2
Risk Heatmap
| Likelihood ↓ Impact → | Low | Medium | High | Critical |
|---|---|---|---|---|
| Critical | ||||
| High | 1 | 2 | 1 | |
| Medium | 2 | 1 | 2 | |
| Low | 1 | 1 | 1 | 1 |
Low
Medium
High
Critical
Filter Risks
| Risk Level | Description | Activity | Likelihood | Impact | Status | Residual | Actions |
|---|---|---|---|---|---|---|---|
| Medium | Cross-border transfer to US without adequate safeguards review | RPA-006 | Medium | High | Mitigated | Low | |
| Medium | Payroll data shared with unauthorised third parties | RPA-001 | Low | Critical | Mitigated | Low | |
| Medium | Applicant data retained beyond defined retention period | RPA-003 | Medium | Medium | Open | Low | |
| Medium | Criminal record data not destroyed after hiring decision | RPA-015 | Low | High | Open | Low | |
| Medium | Loyalty programme using automated profiling without disclosure | RPA-013 | High | Medium | Open | Medium | |
| Medium | Board records not reviewed for 300+ days | RPA-016 | Medium | Medium | Open | Low | |
| Low | Call recordings shared with third party without adequate notice | RPA-010 | Low | Medium | Accepted | Low | |
| Low | Vendor data shared with procurement team without DPA | RPA-012 | Low | Low | Accepted | Low | |
| High | Inadequate consent records for CRM data collection | RPA-002 | High | High | Open | Medium | |
| High | Analytics DPIA overdue - enforcement risk | RPA-009 | High | High | Open | Medium | |
| High | Health data inadequately protected - sensitive category | RPA-008 | Medium | Critical | Open | Medium | |
| High | Payment data breach risk from third-party gateway | RPA-005 | Medium | Critical | Open | Medium | |
| Critical | CCTV DPIA not completed - regulatory exposure | RPA-004 | High | Critical | Open | Medium |