Earlier this month, Agencia Española de Protección de Datos (AEPD), the Spanish Data Protection Agency released an English translation of its ‘Guide on personal data breach management and notification’. The document is designed to provide data controllers and processors with an action plan for dealing with personal data breaches and the tasks involved in mitigating or minimising negative consequences.

Most notably, the Guide contains the Spanish regulator’s recommended method of assessment of data breach severity, for the purpose of compliance with Articles 33 and 34 of the General Data Protection Regulation (GDPR) – breach notification to the Data Protection Authority (DPA) and data subjects, respectively.

Calculating the Risk

The method of assessment is located in Annex III of the document. It operates by converting relevant factors and circumstances of the breach and personal data involved into a mathematical equation:

Risk (in %) = Volume of data x Type of Data x Impact (Disclosure)

The specific values are set depending on circumstances of the breach. Factors to consider include:

  • Based on the number of identification records affected, the Volume variable is given a value of 1 to 5, the larger number of records, the higher the value. A value of 4 or 5 is considered to belong to a separate category, called “qualitative circumstances”.
  • The Type of Data variable is assigned a value of 1 or 2, corresponding to non-sensitive and sensitive data, respectively. A value of 2 falls into qualitative circumstances.
  • The Impact variable is assigned an even-number value, ranging from 2 to 10. The values of 6, 8 and 10 are labelled as qualitative circumstances.

DPA Notification?

In order to trigger an obligation to notify the DPA within 72 hours of the breach (Article 33 GDPR), the document suggests that the following minimum criteria should be fulfilled:

  • Risk percentage has a value of 20 or more; and
  • Two or more qualitative circumstances are triggered.

Data Subject Notification?

The Guide recommends the controller or processor to consider a notification to the data subjects in situations where:

  • Risk percentage has a value of 40 or more; and
  • Two or more qualitative circumstances are triggered.

It should be noted that unlike older breach assessment guidelines, this approach only classifies the data as sensitive/not sensitive, without further assessment of additional circumstances or characteristics of the data subjects or the data itself.


It is possible that the Spanish DPA’s risk assessment method, especially where there is a low number of data records affected, without any further assessment, would produce results to which the UK Information Commissioner’s Office (ICO) or the Irish Data Protection Commissioner (DPC) may not agree with. It is therefore important that if an organisation suspects that it has experienced a personal data breach, it carries out a data risk assessment that would satisfy itself and regulatory bodies that appropriate steps have been taken to contain the breach and notify affected individuals if relevant.

The full text of the AEPD’s Guide can be accessed here.