Sign in with the username and password you chose when you registered.
{{ arete_auth_error }}
First time here?
New students: create an account using the registration code from your facilitator. You can change your username and password at any time once signed in.
Create your account
Choose a username and password — that is all we store. Already have one? .
{{ arete_reg_error }}
We store only the username and password you choose — no name, email or any other personal data. Your facilitator gives you the registration code.
🍪
ARETE
Cookies & privacy
This portal stores the minimum needed to keep you signed in and to remember your settings. It uses no tracking, analytics, advertising or third-party cookies, and never profiles you.
The one cookie we use
Name
arete_session
Purpose
Keeps you signed in after you log in. Strictly necessary — the portal cannot work without it.
Contents
A signed token (your user id + expiry). No name, email or assessment data.
Lifetime
Expires within 7 days, and immediately when you sign out.
Because this cookie is strictly necessary for a service you actively request by signing in, the EU data-protection framework (GDPR / Regulation (EU) 2018/1725 and the ePrivacy Directive, Art. 5(3)) does not require a consent banner for it — only this clear information.
Stored on your device (local storage)
To make the tool usable, your browser keeps a few items locally — your display preferences, your training progress (unlocked scenarios, answers in progress and, optionally, a name you enter). This stays in your browser, is never used for tracking, and is removed automatically when you sign out. You can also clear it at any time from Contact → Reset training or your browser settings.
Your data & your rights
The controller for this training platform is the facilitation team, reachable at {{ COURSE_META.contactEmail || 'your facilitator' }}. You have the right to access, rectify and erase your data and to lodge a complaint with the European Data Protection Supervisor (EDPS). To exercise any of these, or to ask how your training submissions are handled, contact the facilitation team.
Removing everything
Signing out clears the session cookie and removes your progress and answers from the device — safe on shared computers. Everything you already submitted stays on the course server and reappears when you sign in again.
ARETE
{{ arete_must_change_credentials ? 'Welcome — would you like to set your own credentials?' : 'Change your username or password' }}
You signed in with the credentials your facilitator sent. You can pick a new username (any handle, up to 32 characters) and/or a new password for better pseudonymity — or keep the ones you have. You can always change them later from the Contact section.
Pick a new username, a new password, or both. Your current password is required to confirm it is really you.
Some course content could not be loaded.
Please reload the page in a moment — if this message keeps appearing, contact the facilitation team (Contact page in the sidebar).
(technical detail: {{ arete_content_error }})
ARETE will help you to carry out a robust personal data breach risk assessment in line with Articles 34 and 35 EUDPR. This page is your home for everything related to the programme — pre-work, agenda, scenarios, reference library, and follow-up.
{{ pf_primaryCtaSub }}
1 Before the workshop ✓
Get the foundations on your own, at your own pace (~35 min): short readings and a first breach scenario to work through.
Risk assessments submitted in breach notifications regularly fall below the expected standard — the surface of attack is under-defined, highly data-centric adverse effects are vague, and the rationale for the risk score is missing or not sufficiently granular.
2
Risk centred on the organisation, not on data subjects
Organisational risk concerns crowd out the risk to data subjects — which is what Article 34 EUDPR actually requires controllers to assess.
3
High tolerance to risk
Controllers consistently lean toward under-evaluating risk, often to avoid the obligation to notify or to communicate. Some EUIBAs even use risk matrices that split "high risk" into notify / don't-notify paths — contradicting the three-tier framework in the law.
Programme overview
What you'll learn
By the end of ARETE, you will be able to:
LO1
Differentiate organisational risk from data subject risk
You will distinguish between organisational impacts and adverse effects on data subjects, correctly identifying at least three specific data subject risks (identity theft, loss of control over personal data, reputational harm, …) that must be prioritised in an EUDPR-compliant assessment.
Addresses Finding 2.
LO2
Apply the EDPS risk assessment body of knowledge with reasoned rationale
Following the pre-work and the guided scenario, you will apply the body of knowledge to a breach scenario — identifying the key risks to data subjects, assigning correctly Unlikely / Risk / High Risk score, and writing a rationale that maps the surface of attack to specific increasing or decreasing risk factors.
Addresses Findings 1 and 2.
LO3
Determine notification obligations
Given a complex breach use case, you will decide whether the breach requires notification to the EDPS under Article 34 and/or communication to data subjects under Article 35, justifying the decision with reference to the three-tier risk framework and the 72-hour deadline.
Addresses Finding 3.
Stage 1 of 3 · Before the workshop
Before the workshop readings {{ pf_prework_done_count }}/{{ pf_prework_total }}
Get the foundations on your own, online and at your own pace — two steps, ~35 minutes in total. Please complete them before the workshop day: the first 30 minutes of the session activate this material rather than re-deliver it.
1 Read the essentials ~15 min
Five short readings — the assessment method first, then the legal framework. Tick each one as you finish. (The scientific papers and practitioners' insights move to After the workshop.)
Your first realistic breach case, worked offline. You read the case file, score it on the paper template, then record your risk decision online — it locks once recorded.
✓ completedcase file + paper template
Stage 1 of 3 · Before the workshop · Step 1
1
Read the essentials
~15 min
Five short readings curated from the reference library, in the same subsections you will find there. Tick each as you finish. Start with the method — everything else hangs off it. (The scientific papers and practitioners' insights are now further reading for after the workshop.)
Seven short breach cases. For each one, commit to a risk classification for the data subjects — then submit to reveal the reference answer and the reasoning behind it. Use it to test the judgement you built during the workshop. The cases are deliberately varied, and a couple are genuinely debatable.
🔒 Your facilitator opens this at the close of the workshop — it unlocks here automatically, nothing to type or refresh. If it stays locked once the day is over, email the facilitation team.
Commit to a classification for each case. After you submit, you'll see the reference answer and a short explanation for every case — and your score.
You work this first scenario on your own, offline: read the case file, score it on the paper template, then record your pre-work risk decision here. Follow the three steps below — your committed risk decision is the pre-work deliverable. Bring the completed paper template to the workshop.
Read the case file. Open the Case file above — it holds everything you work from: the institution and the data involved, the record of processing (RoPA), the data-processing agreement (DPA), the incident-response procedure and the incident timeline. Read it through before you score anything.
Fill in the paper template. Work through the Paper template step by step, recording your scoring from the case file as you go — whose data was affected, the CIA dimensions, the root cause, the data sensitivity and volume, the likely consequences and harms, and the containment measures.
Record your pre-work risk decision. When the template is complete, commit your own call in the panel below (button ①): likelihood and severity in words, a risk score, a one-paragraph rationale, and your Art. 34 / Art. 35 decisions. It locks once recorded — that is your deliverable.
Record your risk decision
Both decisions are recorded. Bring your paper template to the workshop.① is your pre-work deliverable — record it before the workshop. ② unlocks in the room, after your facilitator presents Inject 1.Inject 1 is live — weigh it against your pre-work call and record your revised decision in ②.
In person on {{ COURSE_META.date }}: team-based work on a live breach scenario with your facilitator — you apply everything from the pre-work and debate your judgement. Practical details are on the Logistics page.
{{ training_unlocked_scenarios.arete_s2_inject1 ? 'OPEN' : 'LOCKED' }}Assessment tool — Inject 1 (a separate, pre-loaded copy of the wizard)
{{ section_locks.s2_result ? 'HIDDEN' : 'REVEALED' }}Automatic result on the result screen (your judgement vs the calculation) — applies to S2 and the Inject 1 tool
🔒 Your facilitator opens the assessment tool at the start of the workshop — it unlocks here automatically; nothing to type or refresh. You can download the paper template and workshop pack now to prepare.
A second, separate copy of the assessment tool for the in-room Inject 1. Once the facilitator presents the new information, your team re-runs the assessment here — your initial Scenario 2 assessment stays untouched, so you can compare the two.
🔒 Your facilitator opens the Inject 1 tool in the room once Inject 1 is presented — it unlocks here automatically; nothing to type or refresh.
⇄
Compare — your initial call vs after Inject 1
How your team's risk judgement changed once Inject 1 arrived. Highlighted rows are the ones that moved.
Initial analysis
After Inject 1
{{ row.label }}
{{ row.a }}
{{ row.b }}moved
Initial rationale
{{ wiz_s2_comparison.initial.rationale || '—' }}
After Inject 1
{{ wiz_s2_comparison.inject1.rationale || '—' }}
Stage 3 of 3 · After the workshop
After the workshop
Close the loop: test your judgement on the risk classification quiz, dig into the further reading, and keep practising at your own pace with real EDPB worked cases.
1 Risk classification quiz
Seven short breach cases — commit to a risk classification for each, then see the reference answer and the reasoning behind it. A quick way to test the judgement you built during the day.
🔒 Locked for students · click to preview✓ submitted🔒 Opens at the close of the workshopopen
2 Further reading
Scientific papers on breach-harm research and practitioners' insights — to deepen your understanding after the workshop.
🔒 Locked for students · click to preview🔒 Opens at the close of the workshop🔒 opened by your facilitatoropen
3 Additional practice
Seven EDPB worked examples, from misdirected emails to a hacked whistleblower database — practise the method and compare your call with the official outcome.
🔒 Locked for students · click to preview🔒 Opens at the close of the workshopopen
Stage 3 of 3 · After the workshop
📑
Further reading 🔒 locked
Optional deeper reading to take the method further after the workshop: current research on breach harm, and how breaches are assessed and communicated in practice. Tick each as you finish.
🔒 Your facilitator opens this at the close of the workshop — it unlocks here automatically, nothing to type or refresh.
Seven additional breach scenarios from the EDPB and EDPS guidelines. Each one has an established expected outcome — apply the body of knowledge and compare your reasoning against the reference rationale.
Sent by email roughly one week after the workshop. You will apply the body of knowledge to seven additional cases from the EDPB and EDPS guidelines, each with an established expected outcome you can compare your reasoning against.
This guided mode will ask you questions in plain language and translate your answers into the EUDPR / EDPB risk categories. It's intended for staff dealing with a breach for the first time, or who want a structured walk-through.
Expect about 10–15 minutes. You can step back at any point. At the end you'll see the calculated risk and which legal obligations apply.
ⓘ Tip: The questions below are the same ones a DPO works through in a real incident. They follow the four phases of the assessment method you saw in the pre-work — gather the facts, weigh the likelihood, weigh the severity, then weigh the circumstances and judge. The ribbon above the progress bar shows which phase you are in. Before the result is revealed you will commit to your own judgement, and then compare it with the automatic calculation.
What this assessment is based on
The questions follow the risk-assessment doctrine in EDPB Guidelines 9/2022 v2.0 and the EDPS Guidelines on personal data breach notification (2018): the likelihood that data subjects suffer adverse effects, weighed against the severity of those effects, with three resulting risk levels (LOW / RISK / HIGH RISK) matching the Art. 34 / Art. 35 thresholds in Regulation (EU) 2018/1725 (EUDPR). Per–data–subject–category assessment is preserved — you'll assess one category in detail, then we'll ask whether other categories of affected people would fare differently.
Step 1 · Identification
Some basic details for the report header. None of these affect the risk calculation, but they appear at the top of the final report and several are referenced by the EDPS notification template.
Internal identifier used to track this breach across documents.
When ticked, the controller's notification and DS-communication obligations are governed by Arts. 92, 93 and 94 — not Arts. 34 and 35. The risk calculation is identical for both scopes; only the legal references in the report differ. Most EU institutions leave this unchecked.
List the RoPAs relevant to the breach. You'll attach one to each DS category in Step 6. If you don't have RoPAs to reference, skip this section.
Step 1 · What happened?
Describe what happened in your own words. Don't worry about technical terms — write as if explaining to a colleague who wasn't involved. We'll ask the technical follow-ups in the next steps.
Examples: "A laptop containing a list of training participants was stolen from a meeting room." · "An email with attendees' personal data was sent to the wrong distribution list." · "Our HR system was hit by ransomware; backups are intact and forensics found no exfiltration."
{{ (state.breach.desc || '').length }} / 3000 characters · This text will appear at the top of the report.
Step 1 · What did the breach affect?
A breach can affect data in three different ways. Tick all that apply — many breaches affect more than one.
What this maps to (technical)
These three options correspond to the CIA triad — Confidentiality, Integrity, Availability. A breach must affect at least one. The combination determines which Likelihood factors apply later (e.g. L1 only matters if Confidentiality is in scope).
Step 1 · What caused the breach?
Pick the option that best describes how the breach happened.
Step 2 · When did this happen?
Five dates matter. The most important is Date of Awareness — that's what starts the 72-hour clock under Art. 34(1) EUDPR. The notification dates can be left blank if you haven't notified yet; the wizard surfaces a warning if the deadline has passed.
When IT first saw an alert, a user reported a problem, or a third party informed you. Optional.
The date the institution had reasonable certainty personal data was involved. Starts the 72-hour clock.
72-hour deadline: {{ wiz_deadlineDisplay }}
— ✔ EDPS notified within the 72-hour deadline — EDPS notified late — provide the reason below — already past the deadline and EDPS not yet notified — less than 24h left to notify
Date when the institution submitted the Art. 34 notification to the EDPS. Leave blank if not notified yet.
Date of Art. 35(1) communication. Only mandatory for HIGH RISK breaches.
Mandatory under Art. 34(1) EUDPR when notifying late.
Why detection and awareness can differ
EDPB Guidelines 9/2022 §28: detection is when the controller becomes aware of an incident; awareness is when the controller has reasonable certainty that a personal-data breach has occurred. A short investigation period between the two is acceptable.
Step 3 · Whose data was affected, and how vulnerable are they?
Pick the most representative category from the institution's DS register. Then confirm or adjust the inherent vulnerability for this specific case. If multiple categories are affected you'll add the others later as variations.
The DS register is empty. Pick Custom below or set up the register first.
For custom categories you set the vulnerability level manually below.
About the population, not the incident. The level is pre-filled from the chosen category — adjust if this specific case warrants a different one (for example, a politically sensitive subset of an otherwise general-public category).
You have adjusted the vulnerability away from the register default ({{ wiz_i0Labels[wiz_primary.i0Suggested] }}). Document the rationale in the DPO confirmation field after the wizard.
What inherent vulnerability captures
Inherent vulnerability raises the severity for data subject categories that are more exposed — Standard, Slightly elevated, High or Critical — independent of the incident itself. It is about the data subject category, not the data. Special-category status (Art. 10/11 EUDPR) is captured separately, under data sensitivity.
No RoPAs added yet. Go back to Step 1 · Identification to register one, or leave this empty.
Step 4 · Could the data be read by whoever has it?
If someone unauthorised got hold of the data, can they actually identify the people in it?
Step 4 · Where did the data end up?
After the breach, who had access, or what happened to the data?
Step 4 · Was this an accident or a deliberate attack?
A deliberate attack is more likely to lead to data being misused. Asking about intent and exploitation.
Step 4 · Did the data actually leave our environment?
Different from "where did it end up" — here we want to know whether the data was physically extracted from your systems by an attacker, or whether it remained inside even though access happened.
ⓘ Note — device vs data: the question is about extraction of usable data, not about whether a device physically left the premises. A stolen laptop with intact strong encryption leaves the device but the bytes are unintelligible — that case answers No here, and the encryption status is captured separately at the L1 step.
How widely did the data spread?
Why this matters for the score
Confirmed exfiltration forces Likelihood ≥ 4 because once data has left your perimeter you cannot put it back — the worst-case must be assumed. Plausible/unknown with an external attack pushes Likelihood ≥ 3.
None is the only value that enables the null-impact downgrade later (which can take a RISK breach down to LOW). Pick "none" only when you have positive evidence — not just absence of evidence.
Step 4 · What kind of data was affected?
Different data carries different risk if exposed. Pick the most sensitive kind affected, even if only part of the dataset.
Step 4 · How many people are affected?
Volume affects how widely the harm could spread. The Expert tab and the EDPS Art. 34 notification form distinguish between individuals (distinct people) and records (distinct data items — one person can have several). Fill what you know; the engine cross-validates against the band you pick below.
Distinct data subjects across all categories.
Distinct records / data items. Often higher than individuals (one person, many records).
Then pick the closest band — scale is recorded as part of the assessment and weighed qualitatively alongside the sensitivity of the data (EDPB Guidelines 9/2022 §4.6.2; the EDPS notes that more individuals does not automatically mean more risk per individual). If the exact number is unknown, leave the inputs blank and pick a band based on best estimate.
Step 4 · What could happen to the affected people?
Realistic worst-case consequences, given everything you've described.
Step 4 · What specific harms could the people experience?
Tick every harm realistically possible. If none apply, leave them all unticked and confirm below.
Step 5 · How is the breach being contained and handled?
A few questions about the institution's response. These don't change the inherent risk of the breach, but they affect which downgrades apply, and they also fill in the report fields that the EDPS expects to see.
When in doubt, pick the most pessimistic that's compatible with the facts.
"Full" is required (alongside other conditions) to allow a RISK→LOW downgrade.
How long until full restoration?
"Resolved" is required for the RISK→LOW downgrade. Pick "ongoing" if the situation is still developing.
Required for cybersecurity incidents under Reg. (EU) 2023/2841. If the breach has a cybersecurity dimension, CERT-EU should also be in the loop.
How the engine uses these answers
Containment / recovery / persistence together with exfiltrationStatus = 'none' and harmsConfirmed = true can trigger a one-step risk downgrade (RISK→LOW or HIGH RISK→RISK) for benign incidents — see EDPB Cases 01, 09, 15.
The operational status flags (managed/contained, investigation ongoing, CERT-EU notified) don't change the score but generate the cross-validation warnings the EDPS expects to see in the final report. Leaving them unset will trigger warnings like "breach is not marked as contained and no investigation is ongoing".
Step 5 · Are other categories of people also affected?
You've scored this for {{ wiz_primaryCategoryLabel }}. The same breach can affect other categories with a different risk profile (e.g. employees + minors).
For each additional category, only mark the factors that differ from your primary scoring. Everything else is inherited.
Which factors might differ between categories — and how to decide
Most often, only the three Severity factors change. The breach mechanics (how data was lost, where it ended up, whether it was an attack) are properties of the incident itself, so they're inherited. What can legitimately differ is who the affected people are and what the consequences mean for them.
Inherent vulnerability — how vulnerable is this category before any breach? About the population, not the incident. When does it differ? When the new category has a different vulnerability profile — e.g. you scored for general staff (Standard) but the breach also affected minors (High) or whistleblowers (Critical).
Data nature and sensitivity (I1) — what kind of data was exposed, and does the combination of fields itself enable harm? When does it differ? When the breach exposed different fields for different categories — e.g. names & addresses for visitors (Basic) but health records for patients (Special category) — or when one category's data combines into a harm pattern (e.g. name + location patterns ⇒ surveillance).
Consequences (I2) — what could realistically happen to these specific people? When does it differ? Same data can have different impact — e.g. a leaked address is annoying for most but life-threatening for an abuse survivor.
If unsure, leave the select on inherit. You can refine in Expert mode after the wizard.
No additional categories yet. Pick a category from the DS register to add one.
DS category
Inherent vulnerabilityhow vulnerable as a population
Data nature & sensitivitywhat kind of data was exposed
Consequencesrealistic worst case for them
Notes
Your judgement · commit before the calculation
You have gathered the facts, weighed the likelihood and the severity, and reviewed the mitigating circumstances. Before the tool shows its automatic calculation, record your own professional judgement — exactly as you would if you had no tool. On the next screen you will compare the two.
🔒 Your judgement is locked. It was recorded before the calculation was revealed, so the comparison stays honest. Continue to the result to see how it compares.
1. How likely is it that data subjects suffer adverse effects?
2. How severe would those effects be?
3. Your overall risk classification
Weigh the two answers above together with the mitigating and aggravating circumstances you reviewed. There is no arithmetic here — this is your call, the same call Art. 34/35 EUDPR asks of the controller.
This breach affects more than one group of data subjects. Classify the risk for each group — the notification obligations follow the most-at-risk group.
{{ grp }}
5. Your notification decisions
Still missing before the calculation can be revealed:
{{ m }}
ⓘ Once locked, your judgement cannot be edited — the point of the exercise is an honest before/after comparison, not a polished answer.
Result · your judgement vs the automatic calculation
Your judgement · recorded
The tool has assessed the same facts you just judged. Compare the two columns — where they agree, you have independent confirmation; where they differ, one of you has seen something the other has not. That difference is the most valuable thing on this screen: bring it to the debrief.
🔒 Your judgement has been recorded and locked. The tool's automatic calculation stays hidden until your facilitator reveals it to the room — once they do, the comparison appears here automatically (nothing to refresh).
Your facilitator will reveal the tool's automatic calculation to the room. Your own judgement is already recorded — the comparison appears here the moment they reveal it.
{{ section_locks.s2_result ? '🔒 STUDENTS: CALCULATION HIDDEN' : '🔓 STUDENTS: CALCULATION REVEALED' }}You always see the calculation below — this controls only what students see.
✓ Full agreement — your judgement and the automatic calculation reached the same classification and the same notification decisions.
✓ Same classification, but the notification decisions differ — check the legal thresholds in the calculation column and bring the difference to the debrief.
⚠ Different classification. One of you weighed something the other did not — read the reasons below, decide which assessment you find more convincing, and argue it in the debrief. Divergence here is not an error; it is the exercise.
No single circumstance dominates — the classification follows from the combined weight of likelihood and severity as entered.
Internal record only — no notification required. The breach has been classified as "Unlikely to result in risk" (Art. 34(1) negative threshold). Under Art. 34(6) EUDPR you must still keep an internal record of the breach.
Want to see how this compares with EDPB guidance?
{{ train_scenario.discussion_blocks.length ? 'Want to see the discussion guide for this scenario?' : 'Want to see the expected outcome band for this scenario?' }}
This scenario is based on a real example from the EDPB Guidelines / EDPS Annex 2 with an established expected outcome. You can review the pedagogical analysis now (rationale, per-field comparison, lessons) — or close this exercise and try another scenario.
This scenario does not have a single "correct" answer — it is designed to be debated as a team. You can review {{ train_scenario.discussion_blocks.length ? 'the discussion prompts and the expected outcome band' : 'the expected outcome band and its rationale' }} now, or close this exercise and try another.
This tool always saves your assessment into an encrypted vault file on your local disk (AES-256-GCM, PBKDF2 100 000 iterations). Pick one of the two options below to get started. Nothing is ever transmitted — the file stays on your machine and you can transfer it by any normal means.
⚠ Your browser does not support encrypted vaults
The vault feature uses the File System Access API, available in Chrome, Edge and Opera. On Firefox or Safari, data would only be cached in plaintext localStorage — not safe for breach information. Please switch browser to continue.
ⓘ Once inside, open the Body of knowledge for the full EDPB references.
🔒 Create vault password
Choose a password to encrypt your assessment vault. The password cannot be recovered if lost — store it separately from the .vault file.
Enter the password used when this vault was created.
{{ vaultOpen.error }}
⚙ Settings
DS Risk Register
This register is a reference library of data subject categories your institution processes. You do not need to assess all of them — only select the categories actually affected by this breach when creating assessments.
ⓘ What is inherent vulnerability?
Inherent vulnerability reflects how exposed a data subject category is with respect to the data processing activity affected, before any breach. The more vulnerable the population, the higher the severity of the assessment.
Level
Meaning
Examples
Standard
General population, no special vulnerability
EU citizens, members of the public
Slightly elevated
Some power imbalance or contextual sensitivity
EUI employees, job applicants, contractors
High
Known vulnerable category
Minors, elderly, victims of crime, persons in financial distress
Critical
Extreme vulnerability
Whistleblowers, asylum seekers, witnesses, persons in legal/medical proceedings
DS Category
Vulnerability
Justification
Review
+ Add DS Category
Detection Threshold
The "Delayed detection" governance finding is documented when the breach existed for longer than your institution's monitoring policy expects. Configure the threshold (in days) that applies to your institution. The figure is not in the EUDPR or EDPB Guidelines 9/2022 — it is an industry convention. If left unset, the finding is treated as documentary only without a numeric cross-validation.
Current state: {{ state.config.delayedDetectionDays === null ? 'not configured (documentary only)' : 'configured to ' + state.config.delayedDetectionDays + ' days' }}.
The default of 30 days applies when this setting is left at its initial value.
Custom Scenario Templates
Manage your custom breach scenario templates. These appear in the "Custom" tab of the Quick-start scenario selector on the Risk Scoring page.
No custom templates yet. Score an assessment in the Risk Scoring tab, then click the button below to save it as a reusable template.
{{ tpl.name }}
{{ tpl.desc || 'No description' }}
{{ tpl.guidance }}
Privacy & Local Data
This tool runs entirely in your browser. While you work, an unencrypted draft of your assessment is auto-saved to localStorage on this machine so you can recover from accidental closures. Custom templates and UI preferences are also stored here.
For breach data containing personal information, use the encrypted Vault from the toolbar. When you finish, use the button below to wipe everything from this browser.
💾 Transfer or archive a vault: the .vault file is a regular file on your disk. Copy it to a USB drive, email it, or upload it to your institution's storage. The recipient opens it with Vault → Open existing vault and the password you share separately.
ⓘ About this tool
Data Breach Risk Assessment Tool — Training
A self-contained pedagogical environment for learning how to assess the risk of a personal data breach to data subjects. The wizard guides you through Likelihood and Severity scoring, harms taxonomy, structured context, and the final notification decision.
Pedagogical use only
This is a training tool. Do not use it for production breach assessments. It is designed to help you understand the body of knowledge — the worked scenarios, the pedagogical analysis, and the access-code unlocks are not features of the operational tool used in real assessments.
How it works
Your scenario scoring happens client-side in your browser. When you are signed in to the training portal, your graded submissions are sent to the server so your facilitator can review them — see Cookies & privacy for exactly what is stored and why. You can score the scenarios freely, export a PDF, and ask for a pedagogical analysis that compares your decisions with the expected outcome.
Disclaimer
The pedagogical analysis and expected outcomes are derived from EDPB Guidelines and the EDPS practical examples. They reflect a typical reading of those guidelines for training purposes. In a real assessment, the Data Protection Officer and the Controller exercise judgement on the specific facts.
You are about to walk through {{ train_scenario.title }} step by step. This is your pre-work for the in-person ARETE workshop.
📋 What you'll do — and what to hand in
Read the case one piece at a time — the context, the technical findings, then a threat check.
Capture your scoring on the paper template as you go. Short prompts at the bottom of each screen tell you exactly what to write.
On the final screens you commit your pre-work risk decision online: likelihood and severity in words, an overall band, a written rationale, and your Art. 34 / Art. 35 calls. That is your deliverable — it locks once you record it.
A second, in-class decision comes later: in the workshop your facilitator presents new information (Inject 1) and you revise your call. That part stays locked until the day.
Case file — the supporting evidence you draw on to justify your answers: the record of processing (RoPA), the data-processing agreement (DPA), the incident-response procedure and the incident timeline. Download the case file.
🎯 The one-message to keep in mind
Risk to data subjects — not risk to the institution — drives breach notification decisions. As you read, keep asking yourself: what does this mean for the 1,750 external experts whose data is on that laptop?
Estimated time for the briefing: 20–30 minutes. You can leave at any point — when you come back, the briefing continues from the screen where you stopped.
The context
Before we get to the incident itself, here is who's involved and what data is being processed.
The institution
SocialWorld EU is an EU institutional body operating under Regulation (EU) 2018/1725 (EUDPR). It runs UnionGate, an online competence and knowledge hub bringing together experts in social-affairs policy, which periodically hosts technical workshops. SocialWorld EU has well-defined internal IT security procedures, a regulatory compliance framework, a Data Protection Officer (DPO), a Local Cybersecurity Officer (LCO), and a documented incident response procedure.
The processor
SocialWorld EU uses an external consultant to animate the UnionGate community and organise its workshops. The consultant operates under a service contract with a Data Processing Agreement (DPA) under Art. 29 EUDPR. The DPA requires:
Use of the SocialWorld EU corporate laptop (full-disk encryption) — the only device permitted to access or store SocialWorld EU data.
Use of SocialWorld EU's VPN for remote system access.
Offline work is permitted; data may be stored temporarily on the laptop's local drive for justified tasks, subject to the storage-limitation policy.
Immediate notification to the SocialWorld EU IT Security team of any security incident.
The data
About 1,750 external technical experts (PhD researchers, university professors, policy makers, journalists, NGOs, sociologists, MEPs and national ministry experts) — first and last name, job title, professional email and professional postal address — invited to a recent UnionGate workshop. No special-category data (no health, no political, no financial). The original list is also held on SocialWorld EU's secured internal servers (i.e. a backup exists): the controller has no permanent availability loss.
✍️ Capture on your paper template
Find Step 4 · Whose data was affected? in your template. What is the DS category? Note also: who is the controller, and who is the processor in this case? Is this a personal data breach as defined in Art. 3(16) EUDPR? You can consult the Reference library (the 📚 button above) if you need to look up these definitions.
The incident — how it unfolded
Here is the chronology of how the institution learned about the incident.
✍️ Capture on your paper template
Find Step 1 · When did this happen? in your template. Note the key dates. Critical question: at what precise moment does SocialWorld EU become "aware" of a personal data breach for the purposes of the 72-hour notification deadline under Art. 34(1) EUDPR — when the consultant calls the Head of Unit on Day 1, or when IT Security is informed (Day 4) / completes its assessment (Day 5)? Justify your answer in one or two sentences.
(Tip from the Reference library: "awareness" means reasonable degree of certainty that a security incident has resulted in personal data being compromised — NOT just the moment IT first sees an alert.)
Initial technical findings (Day 5, 13:30 UTC)
The IT Security team has completed its first technical assessment. Here is what they have established so far.
Device security
The laptop had full-disk encryption (BitLocker) enabled, as required by the DPA.
The consultant confirms they used a strong, unique passphrase (20+ characters, mixed case, numbers and symbols, not a dictionary word, not reused for other services).
The IT Security team has issued a remote-wipe command via the Mobile Device Management (MDM) platform. The command is marked "sent". Execution is pending — it requires the device to connect to the internet, which it has not done since the theft.
Data involved
The laptop contained a local copy of the workshop dataset: first and last name, job title, professional email and professional postal address of approximately 1,750 external experts.
The DPA permits temporary local storage on the corporate laptop for justified tasks, subject to a storage-limitation policy. The dataset was downloaded 10 days before the theft to prepare name badges and a registration list; the workshop took place the day before the theft; the local copy had not yet been deleted or re-synced to the servers.
No special-category data on the device.
Availability and backups
SocialWorld EU maintains up-to-date backups of all project data on internal secured servers. The data is not lost to SocialWorld EU — no permanent availability issue for the controller.
Threat assessment
No evidence the passphrase has been compromised; no brute-force attempts on other accounts; no phishing linked to the burglary; no known vulnerabilities in the BitLocker implementation on this device's OS version.
The nature of the theft (stolen from a hotel room while travelling; other electronics also taken) suggests opportunistic theft rather than a targeted cyber-attack to acquire data.
Police report filed. No forensic evidence the laptop was specifically targeted.
✍️ Capture on your paper template
Now you have the technical facts. Find these steps in your template and fill them in based on what you've read:
Step 2 · CIA dimensions — which of Confidentiality / Integrity / Availability are in scope?
Step 3 · Root cause — what category?
Step 6 — can the data be read by whoever has it? Think carefully — the encryption is intact today, but the remote wipe is pending. What stance do you take?
Step 7 — where did the data end up?
Step 8 — accidental or deliberate?
Don't fill in data sensitivity, consequences or harms yet — there's more to come on the next screen.
Pause — complete your first-pass scoring
You now have everything you need for an initial assessment. Take 5–10 minutes to fill in the remaining steps on your paper template.
✍️ Complete these on your template now
Step 9 — how sensitive is the data? (name, job title, professional email, professional postal address)
Step 10 · Volume — how many people? (1,750)
Step 11 — what consequences could the affected people experience?
Step 12 · Harms — which catalogued harms plausibly apply?
Step 13 · Containment — what's been done so far?
Then turn to the Your judgement page of your template and commit to your own call:
Likelihood, in words — how likely is it that the people affected suffer adverse effects? (unlikely / possible / likely / very likely)
Severity, in words — how bad would those effects be? (negligible / limited / serious / severe)
Your overall classification — unlikely to result in risk / risk / high risk. There is no arithmetic: weigh the two answers above together with the mitigating circumstances, the way Art. 34/35 EUDPR asks the controller to.
Your one-paragraph rationale in your own words: which facts drive your call?
Your initial notification decision: Notify EDPS under Art. 34? Communicate to data subjects under Art. 35?
Take your time. When you're done, click Continue — before you commit your judgement, one more thing to think through.
🧭 BEFORE YOU JUDGE — threat assessment
What could actually happen to these people?
A risk band is only as good as the threats behind it. Before you commit your judgement, think through who is exposed and to what — the way the EDPS Guidelines ask a controller to.
✍️ Think it through (note it on your template)
Threats to the data subjects. Given the profiles (academics, policy makers, journalists, NGOs, MEPs, ministry experts) and the processing activity, what could a holder of this list realistically do with it — and how does intact, strong encryption change that answer?
Same risk across the data dimensions? You decided which of Confidentiality / Integrity / Availability are in scope. Would the risk score be the same for each dimension, or do they differ here?
A one-off, or a moving picture? A breach risk assessment is an instant-T snapshot. If a new fact arrives later (say, the laptop connects to the internet), the finalised assessment has to be revisited. What single new fact would most change your call?
You don't score anything new here — you just sharpen the reasoning behind the judgement you're about to commit.
Your judgement · commit your final call
You have read the full case, scored it on your paper template, and thought through the threats. Now record your final pre-work judgement here. It is saved with your account and locks once you commit it — at the workshop you will defend it, compare it with your colleagues' calls, and revise it when new information arrives in the room.
🔒 Your judgement is recorded and locked. Bring your paper template to the workshop — the discussion starts from the call you just committed.
1. How likely is it that data subjects suffer adverse effects?
2. How severe would those effects be?
3. Your overall risk classification
Weigh the two answers above together with the mitigating and aggravating circumstances. There is no arithmetic here — this is your call, the same call Art. 34/35 EUDPR asks of the controller.
5. Your notification decisions
Still missing before your judgement can be locked:
{{ m }}
ⓘ Once locked, your judgement cannot be edited — the workshop debrief works from an honest, committed position, not a polished answer. New information will arrive in the room, and you will get a separate chance to revise your call there.
In-class re-assessment ✓ submitted
New information has arrived. Weigh it against your locked pre-work judgement and record your revised call. Where nothing changed, say so — holding your position under pressure is as valid as moving, as long as the rationale carries it.