breach-risk-assessment
Installation
SKILL.md
Conducting Breach Risk Assessment
Overview
When a personal data breach occurs, the controller must assess whether the breach is "likely to result in a risk to the rights and freedoms of natural persons" (Art. 33(1)) to determine whether supervisory authority notification is required, and whether it is "likely to result in a high risk" (Art. 34(1)) to determine whether data subject notification is required. This skill provides a structured, repeatable methodology based on EDPB Guidelines 9/2022 and Guidelines 01/2021.
Breach Type Classification (CIA Triad)
Every breach must first be classified according to the type of security compromise:
Confidentiality Breach
Unauthorized or accidental disclosure of, or access to, personal data.
| Scenario | Severity Indicator |
|---|---|
| Email containing 50 customer records sent to wrong internal department | Low — limited exposure, same organization |
| Database export of 200,000 records posted on public file-sharing service | Severe — mass exposure, publicly accessible |
| Employee accesses medical records of a colleague without authorization | Medium — limited scope but sensitive data |
| Backup tape containing unencrypted payroll data lost during transport | High — financial data, unknown accessor |
Related skills