Risk Radar According to FDPIC Annex A: Systematically Evaluating Privacy Risks

"Do we need a Data Protection Impact Assessment?" This question is one of the most common — and the answer is usually: "Probably not, but Annex A of the FDPIC guide helps to check this systematically." Annex A is the practical tool that doesn't play a major role in the FADP itself but is gold worth in everyday practice.

What Annex A delivers

The FDPIC has published an Annex A in its guide on Data Protection Impact Assessment (DPIA) describing a structured methodology for evaluating data protection risks. The method combines four dimensions into an overall score, providing an objective basis for the decision "DPIA yes or no."

Important: Annex A is not mandatory, but a recommendation. Anyone using it has a defendable risk assessment process. Anyone applying their own methods must be able to document them similarly structured.

The four risk dimensions

1. Severity of impact

How severe would the damage to a data subject be if something goes wrong? Typical scale:

• Low — minor effort to restore (e.g. newsletter spam)
• Medium — noticeable impact (e.g. unwanted advertising)
• High — substantial impact (e.g. unfair credit decision)
• Very high — irreparable (e.g. public disclosure of sensitive health data)

2. Probability

How likely does the damage occur? Scale:

• Very unlikely — e.g. with very strong security measures
• Unlikely — standard security, little attack surface
• Possible — average risk
• Likely — vulnerabilities known, mitigation unclear
• Very likely — no protective measures, high attack surface

3. Number of affected persons

How many people would be affected? Scale:

• Few (< 100)
• Medium (100-10,000)
• Many (> 10,000)

4. Special vulnerability

Are particularly vulnerable persons affected? (e.g. children, patients, employees with asymmetry to the processing entity)

• No — usual adult users
• Yes — children, patients, employees or persons in vulnerable situations

Calculating the risk score

The score is typically formed as multiplication or aggregation of the four dimensions. A simple model:

Risk = Impact × Probability × Number-Factor × Vulnerability-Factor

With:

• Impact: 1-4
• Probability: 1-5
• Number: 1 (few), 2 (medium), 3 (many)
• Vulnerability: 1 (no), 2 (yes)

Thresholds:

• Score 1-12: Low risk, no DPIA needed
• Score 13-30: Medium risk, DPIA recommended
• Score 31-120: High risk, DPIA mandatory

Example: SME web shop with standard marketing

Setup: Swiss web shop, ca. 5,000 monthly visitors, Google Analytics, Meta Pixel, newsletter via Brevo.

Impact: 1 (low) — in case of cookie tracking data leak, individual impact would be minor.

Probability: 2 (unlikely) — the tools are established providers with good security.

Number: 1 (few) — only a fraction is actively tracked per month.

Vulnerability: 1 (no) — standard users.

Score: 1 × 2 × 1 × 1 = 2 → Low risk, no DPIA needed.

Example: Online platform with profiling

Setup: SaaS platform, automatic tariff calculation based on user behaviour and demographic data, 50,000 users.

Impact: 3 (high) — wrong tariff determination can bring financial disadvantages.

Probability: 3 (possible) — algorithms can contain bias, wasn't tested.

Number: 3 (many) — over 10,000 persons.

Vulnerability: 1 (no) — business customers.

Score: 3 × 3 × 3 × 1 = 27 → Medium risk, DPIA recommended. Mandatory at higher probability.

When the FDPIC must be consulted

If the DPIA shows that risk cannot be sufficiently reduced, the FDPIC must be consulted in advance (Art. 23 FADP). In practice this is rarely the case — usually mitigations are found that adequately cushion the risk.

Possible mitigations:

• Data minimisation — collect less data
• Anonymisation/pseudonymisation — process data so no identification is possible
• Consent — explicit agreement as additional legitimation
• Transparency — inform data subjects and provide choice
• Security measures — encryption, access controls, logging

Aiara and the Risk Radar

In Aiara Phase 3 (planned for 2026), the Risk Radar will be available as an integrated feature. Swiss SMEs can then perform a quick evaluation per domain and per used tool — based on the four dimensions, with automatic recommendations for mitigations. Anyone using Risk Radar regularly documents their risk assessment systematically and, in an FDPIC random check, can immediately present a justified evaluation.

Until then: take Annex A seriously, do a written evaluation per relevant data processing operation, and document the result with date and responsible person. That can be done in half an hour even without a tool.