# Privacy Risk Assessment Template

This template is a practical starting point for organizing privacy risk information. It is not legal advice. Privacy officers, legal counsel, or qualified advisors should review jurisdiction-specific obligations.

## Recommended Fields

| Field | Purpose |
|---|---|
| Assessment ID | A stable identifier for tracking the assessment. |
| Assessment name | Short name for the product, vendor, system, feature, or data processing activity. |
| Assessment type | DPIA, PIA, HIPAA risk analysis prep, CCPA/CPRA risk assessment, ADMT review, or vendor privacy assessment. |
| Jurisdiction | The law, region, or compliance context being considered. |
| Processing activity | What personal data is collected, used, disclosed, retained, automated, or shared. |
| Business purpose | Why the processing is needed and which team owns the outcome. |
| Data categories | Personal data, sensitive data, PHI, employee data, location data, biometrics, or other regulated categories. |
| Data subjects | Customers, patients, employees, prospects, website visitors, minors, contractors, or other affected people. |
| Systems and vendors | Internal systems, subprocessors, analytics tools, AI systems, or third-party processors involved. |
| Legal basis or requirement | Jurisdiction-specific requirement, legal basis, contract requirement, or review trigger. |
| Risk scenario | A concrete privacy harm that could affect individuals. |
| Likelihood | Low, medium, or high. |
| Impact | Low, medium, or high. |
| Existing controls | Security, privacy, contractual, retention, consent, access, monitoring, and human-review controls. |
| Residual risk | Risk remaining after controls and mitigations. |
| Mitigation owner | Person or team accountable for reducing the risk. |
| Target date | Date by which mitigation should be completed. |
| Decision | Approve, mitigate, block, escalate, or revisit later. |
| Approver | Person or function approving the assessment decision. |
| Last reviewed | Date of latest review. |
| Next review | Date for the next review. |
| Notes | Caveats, assumptions, legal review notes, or evidence links. |

## Example Rows

| Assessment | Type | Processing activity | Risk scenario | Controls to review |
|---|---|---|---|---|
| New analytics tool review | Vendor privacy assessment | Website visitor analytics and product usage tracking | Unexpected tracking or vendor reuse of personal data | DPA review, cookie banner review, retention limit, data minimization |
| AI support triage | AI / ADMT review | AI-assisted routing of customer support tickets | Incorrect classification or sensitive data exposure to AI workflow | Human review, prompt controls, logging, vendor review, retention limit |
| Patient portal vendor | HIPAA risk analysis prep | Third-party portal processes patient messages and account data | Unauthorized access, weak access control, incomplete audit trail | BAA review, access controls, audit logging, incident response review |
| California profiling review | CCPA / CPRA risk assessment | Automated segmentation used for eligibility, pricing, or targeting decisions | Opaque automated decisioning or insufficient opt-out process | Purpose review, ADMT disclosure review, opt-out path, human escalation |

## Workflow

1. Define the activity.
2. Screen for sensitive data, high-risk processing, PHI, ADMT, vendor processing, or cross-border transfer.
3. Record concrete risk scenarios.
4. Score likelihood and impact.
5. Assign mitigation owners and target dates.
6. Record approval, residual risk, and next review date.
7. Store approved outcomes as reusable questionnaire or GRC evidence.