Does anyone add risk scores to individual processing activities within their ROPA? If so, does anyone have a matrix or guidance to help risk assess controls etc to help assign a risk score that they would be willing to share please? High risk activities are explored via DPIAs but I’m thinking more around lower risk activities that don’t meet the DPIA threshold but are still recorded in ROPAs.
I am aware this may be an odd question but it’s come up as part of an audit action and I am a little stumped. We don’t use any automation tools so all is currently logged on spreadsheets and the current risk scoring doesn’t have any framework. Any help or suggestions greatly appreciated.