The list of identified risks is evaluated using the following values for likelihood of occurrence and severity of potential harm:
Overall risk is calculated as the product of the likelihood of occurrence and the severity of potential harm.
| Risk | Likelihood of harm | Severity of harm | Overall risk |
| Loss of control by individuals over their personal data | 2 (Possible) | 1 (Minimal) | 2 |
| Discrimination or bias | 1 (Remote) | 3 (Severe) | 3 |
| Increased risk of identity theft or fraud | 1 (Remote) | 2 (Significant) | 2 |
| Loss of confidentiality | 2 (Possible) | 3 (Severe) | 6 |
| Re-identification of pseudonymized data | 1 (Remote) | 1 (Minimal) | 1 |
| Revealing sensitive information or information about vulnerable individuals (e.g. children) | 1 (Remote) | 3 (Severe) | 3 |
| Collecting inaccurate information or making inaccurate assumptions about the individual | 2 (Possible) | 1 (Minimal) | 2 |
The following risk mitigation measures are being applied to reduce the system's overall level of vulnerability:
| Risk | Mitigation measure | Effect on risk | Status |
| Loss of confidentiality | Implementing internal data handling policies for staff | Reduce likelihood of harm | In progress |
| Training staff on how to use personal data | Reduce likelihood of harm | Not started | |
| Giving individuals a choice as to how their personal data will be used | Reduce severity of harm | Not started |