While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced to the European Union Agency for Network and Information Security (ENISA)'s " Recommendations for a methodology of the assessment of severity of personal data breaches " in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm? The methodology systematizes and standardizes the calculation “estimation of the magnitude of potential impact on the individuals derived from the data breach”. By answering a few questions about the breach, the methodology produces a severity score: Low : Individuals either will not be affected or may encounter a few inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.). Medium : Individuals may encounter significant inconveniences, which they will be able to ove