{{ toastMessage }}

Data Breach Risk Assessment Tool — Training

Training Sandbox👨‍🏫 Instructor mode
⚠ {{ t('warn_inc') }} {{ vaultName.length > 20 ? vaultName.slice(0,17) + '...' : vaultName }} ({{ vaultLastSaved }}) {{ saveStatus === 'saving' ? 'Saving\u2026' : saveStatus === 'pending' ? 'Unsaved' : saveStatus === 'error' ? 'Save failed' : saveStatus === 'saved' ? 'Saved' : 'Idle' }}
📌 Instructor note · {{ wiz_step }}

{{ train_instructor_note }}

📋 Discussion guide — {{ train_scenario.title }}

Questions to debate as a team while working through the assessment. These do not feed the engine — they are prompts for the team's reasoning.

{{ block.title }}
  1. {{ q }}
⚠ Inject

{{ train_scenario.inject.label }}

Revised question: {{ train_scenario.inject.revised_question }}
Revised questions:
  • {{ q }}
{{ s.label }}

Let's walk through your data breach assessment

This guided mode will ask you questions in plain language and translate your answers into the EUDPR / EDPB risk categories. It's intended for staff dealing with a breach for the first time, or who want a structured walk-through.

Expect about 10–15 minutes. You can step back at any point. At the end you'll see the calculated risk and which legal obligations apply.

ⓘ Tip: If you already know the methodology and want the full tabbed interface, switch to Expert mode using the toggle at the top of the page.

What this assessment is based on
The questions map to the same scoring engine used by the expert version of the tool: a 4×4 likelihood×impact matrix following EDPB Guidelines 9/2022 v2.0, with three risk levels (LOW / RISK / HIGH RISK) matching the Art. 34 / Art. 35 thresholds in Regulation (EU) 2018/1725 (EUDPR). Per–data–subject–category scoring is preserved — you'll score one category in detail, then we'll ask whether other categories of affected people would score differently.

Step 1 · Identification

Some basic details for the report header. None of these affect the risk calculation, but they appear at the top of the final report and several are referenced by the EDPS notification template.

Internal identifier used to track this breach across documents.

When ticked, the controller's notification and DS-communication obligations are governed by Arts. 92, 93 and 94 — not Arts. 34 and 35. The risk calculation is identical for both scopes; only the legal references in the report differ. Most EU institutions leave this unchecked.

List the RoPAs relevant to the breach. You'll attach one to each DS category in Step 6. If you don't have RoPAs to reference, skip this section.

Step 1 · What happened?

Describe what happened in your own words. Don't worry about technical terms — write as if explaining to a colleague who wasn't involved. We'll ask the technical follow-ups in the next steps.

Examples: "A laptop containing a list of training participants was stolen from a meeting room." · "An email with attendees' personal data was sent to the wrong distribution list." · "Our HR system was hit by ransomware; backups are intact and forensics found no exfiltration."
{{ (state.breach.desc || '').length }} / 3000 characters · This text will appear at the top of the report.

Step 1 · What did the breach affect?

A breach can affect data in three different ways. Tick all that apply — many breaches affect more than one.

What this maps to (technical)
These three options correspond to the CIA triad — Confidentiality, Integrity, Availability. A breach must affect at least one. The combination determines which Likelihood factors apply later (e.g. L1 only matters if Confidentiality is in scope).

Step 1 · What caused the breach?

Pick the option that best describes how the breach happened.

Step 2 · When did this happen?

Five dates matter. The most important is Date of Awareness — that's what starts the 72-hour clock under Art. 34(1) EUDPR. The notification dates can be left blank if you haven't notified yet; the wizard surfaces a warning if the deadline has passed.

When IT first saw an alert, a user reported a problem, or a third party informed you. Optional.
The date the institution had reasonable certainty personal data was involved. Starts the 72-hour clock.
72-hour deadline: {{ wiz_deadlineDisplay }} ✔ EDPS notified within the 72-hour deadline EDPS notified late — provide the reason below already past the deadline and EDPS not yet notified — less than 24h left to notify
Date when the institution submitted the Art. 34 notification to the EDPS. Leave blank if not notified yet.
Date of Art. 35(1) communication. Only mandatory for HIGH RISK breaches.
Mandatory under Art. 34(1) EUDPR when notifying late.
Why detection and awareness can differ
EDPB Guidelines 9/2022 §28: detection is when the controller becomes aware of an incident; awareness is when the controller has reasonable certainty that a personal-data breach has occurred. A short investigation period between the two is acceptable.

Step 3 · Whose data was affected, and how vulnerable are they?

Pick the most representative category from the institution's DS register. Then confirm or adjust the inherent vulnerability (I0) for this specific case. If multiple categories are affected you'll add the others later as variations.

The DS register is empty. Pick Custom below or set up the register first.
For custom categories you set the I0 manually below.

About the population, not the incident. The I0 is pre-filled from the chosen category — adjust if this specific case warrants a different score (for example, a politically sensitive subset of an otherwise general-public category).

You have adjusted the I0 away from the register default ({{ wiz_i0Labels[wiz_primary.i0Suggested] }}). Document the rationale in the DPO confirmation field after the wizard.
What I0 does in the calculation
I0 is an inherent-vulnerability modifier on the Impact score: +0 (Standard), +1 (Elevated), +2 (High), +3 (Critical). It captures vulnerability of the data subject category, independent of the incident. Special-category status (Art. 10/11 EUDPR) is captured in I1, not here.
No RoPAs added yet. Go back to Step 1 · Identification to register one, or leave this empty.

Step 4 · Could the data be read by whoever has it?

If someone unauthorised got hold of the data, can they actually identify the people in it?

Step 4 · Where did the data end up?

After the breach, who had access, or what happened to the data?

Step 4 · Was this an accident or a deliberate attack?

A deliberate attack is more likely to lead to data being misused. Asking about intent and exploitation.

Step 4 · Did the data actually leave our environment?

Different from "where did it end up" — here we want to know whether the data was physically extracted from your systems by an attacker, or whether it remained inside even though access happened.

ⓘ Note — device vs data: the question is about extraction of usable data, not about whether a device physically left the premises. A stolen laptop with intact strong encryption leaves the device but the bytes are unintelligible — that case answers No here, and the encryption status is captured separately at the L1 step.

How widely did the data spread?

Why this matters for the score

Confirmed exfiltration forces Likelihood ≥ 4 because once data has left your perimeter you cannot put it back — the worst-case must be assumed. Plausible/unknown with an external attack pushes Likelihood ≥ 3.

None is the only value that enables the null-impact downgrade later (which can take a RISK breach down to LOW). Pick "none" only when you have positive evidence — not just absence of evidence.

Step 4 · What kind of data was affected?

Different data carries different risk if exposed. Pick the most sensitive kind affected, even if only part of the dataset.

Step 4 · How many people are affected?

Volume affects how widely the harm could spread. The Expert tab and the EDPS Art. 34 notification form distinguish between individuals (distinct people) and records (distinct data items — one person can have several). Fill what you know; the engine cross-validates against the band you pick below.

Distinct data subjects across all categories.
Distinct records / data items. Often higher than individuals (one person, many records).

Then pick the closest band — this is the value the engine uses for scoring (Volume factor, EDPB Guidelines 9/2022 §4.6.2). If the exact number is unknown, leave the inputs blank and pick a band based on best estimate.

Step 4 · What could happen to the affected people?

Realistic worst-case consequences, given everything you've described.

Step 4 · What specific harms could the people experience?

Tick every harm realistically possible. If none apply, leave them all unticked and confirm below.

Step 5 · How is the breach being contained and handled?

A few questions about the institution's response. These don't change the inherent risk of the breach, but they affect which downgrades apply, and they also fill in the report fields that the EDPS expects to see.

When in doubt, pick the most pessimistic that's compatible with the facts.
"Full" is required (alongside other conditions) to allow a RISK→LOW downgrade.
How long until full restoration?
"Resolved" is required for the RISK→LOW downgrade. Pick "ongoing" if the situation is still developing.
Required for cybersecurity incidents under Reg. (EU) 2023/2841. If the breach has a cybersecurity dimension, CERT-EU should also be in the loop.
How the engine uses these answers

Containment / recovery / persistence together with exfiltrationStatus = 'none' and harmsConfirmed = true can trigger a one-step risk downgrade (RISK→LOW or HIGH RISK→RISK) for benign incidents — see EDPB Cases 01, 09, 15.

The operational status flags (managed/contained, investigation ongoing, CERT-EU notified) don't change the score but generate the cross-validation warnings the EDPS expects to see in the final report. Leaving them unset will trigger warnings like "breach is not marked as contained and no investigation is ongoing".

Step 5 · Are other categories of people also affected?

You've scored this for {{ wiz_primaryCategoryLabel }}. The same breach can affect other categories with a different risk profile (e.g. employees + minors).

For each additional category, only mark the factors that differ from your primary scoring. Everything else is inherited.

Which factors might differ between categories — and how to decide

Most often, only the three Impact factors change. The breach mechanics (how data was lost, where it ended up, whether it was an attack) are properties of the incident itself, so they're inherited. What can legitimately differ is who the affected people are and what the consequences mean for them.

Inherent vulnerability (I0) — how vulnerable is this category before any breach? About the population, not the incident. When does it differ? When the new category has a different vulnerability profile — e.g. you scored for general staff (Standard, +0) but the breach also affected minors (High, +1) or whistleblowers (Critical, +2).

Data nature and sensitivity (I1) — what kind of data was exposed, and does the combination of fields itself enable harm? When does it differ? When the breach exposed different fields for different categories — e.g. names & addresses for visitors (Basic) but health records for patients (Special category) — or when one category's data combines into a harm pattern (e.g. name + location patterns ⇒ surveillance).

Consequences (I2) — what could realistically happen to these specific people? When does it differ? Same data can have different impact — e.g. a leaked address is annoying for most but life-threatening for an abuse survivor.

If unsure, leave the select on inherit. You can refine in Expert mode after the wizard.

No additional categories yet. Pick a category from the DS register to add one.
DS category Inherent vulnerabilityhow vulnerable as a population Data nature & sensitivitywhat kind of data was exposed Consequencesrealistic worst case for them Notes

Result · calculated risk and obligations

Based on what you've entered, here's the calculated risk for each affected category. The overall breach risk is the worst of these, and that's what determines your legal obligations.

{{ levelLabel(wiz_overallRisk) }}

Per-category breakdown

DS categoryLIMatrix outputFinal (after overrides)

Engine warnings

{{ w }}
Internal record only — no notification required. The breach has been classified as "Unlikely to result in risk" (Art. 34(1) negative threshold). Under Art. 34(6) EUDPR you must still keep an internal record of the breach.

Controller's position on the calculated result

The controller (typically the institution's senior management or the DPO acting on their behalf) records here whether the calculated risk and the resulting notification decision are agreed. Optional — you can leave this for the senior reviewer to complete in Expert mode.

Required when the controller disagrees with the engine's calculation.

Tick this only if direct DS communication would involve disproportionate effort and a public communication (or equivalently effective measure) will be issued instead.

📝 Article 35 communication to data subjects

Draft the four key elements that the Article 35 communication to the most affected category (current employees) would contain. Use clear, non-technical language. Bullet form is fine — this is a draft, not final copy.

Avoid technical jargon (no "MFA", "DLP", "exfiltration") — write as if explaining to a colleague outside the institution.
Be honest. Understating risks is a failure of accountability; overstating loses trust.
The data subject must know what to do, not just what happened.
Always include the DPO contact.

Want to see how this compares with EDPB guidance?

Want to see the discussion guide for this scenario?

This scenario is based on a real example from the EDPB Guidelines / EDPS Annex 2 with an established expected outcome. You can review the pedagogical analysis now (rationale, per-field comparison, lessons) — or close this exercise and try another scenario.

This scenario does not have a single "correct" answer — it is designed to be debated as a team. You can review the discussion prompts and the expected outcome band now, or close this exercise and try another.

📋 Pedagogical analysis — {{ train_scenario.title }}

Your final outcome
{{ train_outcome.yours }}
Expected outcome band (EDPS guidance)
{{ train_scenario.expected_band }}

Why this band

{{ train_scenario.expected_band_rationale }}

Discussion prompts your team should have covered

{{ block.title }}
  1. {{ q }}
⚠ You did not open the scenario inject. In the live session your facilitator would have announced it ~15–20 min into the assessment. Re-do this scenario and open the inject to complete the exercise — your assessment is incomplete without it.

📋 Pedagogical analysis — {{ train_scenario.title }}

Your final outcome
{{ train_outcome.yours }}
vs
EDPB classification
{{ train_outcome.edpb }}
{{ train_outcome.match ? '✓ Aligned' : '⚠ Different' }}

EDPB rationale for this scenario

{{ train_scenario.edpb_reasoning }}

Source: {{ train_scenario.edpb_source }}

Step-by-step review of your decisions

The EDPB values are blurred by default so you can review your own choices first.

FieldYour valueEDPB valueVerdict
CIA dimensions{{ train_display(train_compare('cia').trainee) }}{{ train_display(train_compare('cia').edpb) }}{{ train_compare('cia').verdict }}
Root cause{{ train_display(train_compare('cause').trainee) }}{{ train_display(train_compare('cause').edpb) }}{{ train_compare('cause').verdict }}
L1 (ease of ID){{ train_display(train_compare('l1').trainee) }} (sub: {{ train_compare('l1sub').trainee }}){{ train_display(train_compare('l1').edpb) }} (sub: {{ train_compare('l1sub').edpb }}){{ train_compare('l1').verdict }}
L2 (exposure){{ train_display(train_compare('l2').trainee) }}{{ train_display(train_compare('l2').edpb) }}{{ train_compare('l2').verdict }}
L3 (root-cause severity){{ train_display(train_compare('l3').trainee) }}{{ train_display(train_compare('l3').edpb) }}{{ train_compare('l3').verdict }}
I0 (DS vulnerability){{ train_display(train_compare('i0').trainee) }}{{ train_display(train_compare('i0').edpb) }}{{ train_compare('i0').verdict }}
I1 (data nature){{ train_display(train_compare('i1').trainee) }}{{ train_display(train_compare('i1').edpb) }}{{ train_compare('i1').verdict }}
I2 (consequences){{ train_display(train_compare('i2').trainee) }}{{ train_display(train_compare('i2').edpb) }}{{ train_compare('i2').verdict }}
Vol (documentary){{ train_display(train_compare('vol').trainee) }}{{ train_display(train_compare('vol').edpb) }}{{ train_compare('vol').verdict }}
Harms{{ train_display(train_compare('harms').trainee) }}{{ train_display(train_compare('harms').edpb) }}{{ train_compare('harms').verdict }}
Harms taxonomy reviewed{{ train_display(train_compare('harmsConfirmed').trainee) }}{{ train_display(train_compare('harmsConfirmed').edpb) }}{{ train_compare('harmsConfirmed').verdict }}
Recipient{{ train_display(train_compare('recipientType').trainee) }}{{ train_display(train_compare('recipientType').edpb) }}{{ train_compare('recipientType').verdict }}
Exfiltration{{ train_display(train_compare('exfiltrationStatus').trainee) }}{{ train_display(train_compare('exfiltrationStatus').edpb) }}{{ train_compare('exfiltrationStatus').verdict }}
Spread{{ train_display(train_compare('spreadStatus').trainee) }}{{ train_display(train_compare('spreadStatus').edpb) }}{{ train_compare('spreadStatus').verdict }}
Response actions{{ train_display(train_compare('dec').trainee) }}{{ train_display(train_compare('dec').edpb) }}{{ train_compare('dec').verdict }}

💡 Lessons from this scenario

ARETE

Personal Data Breach Risk Assessment👨‍🏫 Instructor mode

Remember {{ COURSE_META.oneMessage }}
{{ arete_username }}
From {{ t.by_username || 'facilitator' }} {{ t.at && t.at.slice(11, 16) }}
{{ t.text }}
Programme overview

{{ training_trainee_name ? 'Welcome, ' + training_trainee_name + '.' : 'Welcome to ARETE' }}

ARETE prepares you to perform a mature personal data breach risk assessment in line with Articles 34 and 35 EUDPR. This page is your home for everything related to the programme — pre-work, agenda, scenarios, reference library, and follow-up.

🔒

Additional sections will appear here as your facilitator opens them during the workshop on {{ COURSE_META.date }}.

Logistics

📅 Date
{{ COURSE_META.date }}
📍 Venue
{{ COURSE_META.venue }}
⏱ Duration
Half-day · 08:30 – 13:00 · ~3.5 h of active content time
👥 Format
In-person, multi-disciplinary team-based work, 4–5 per team
📋 What to bring
Your printed pre-work paper template, a pen, and your name card
🌐 Language
English, plain language. No idioms; pace accommodates non-native speakers

Agenda

TimeBlockMode
{{ row.time }} {{ row.block }} {{ row.mode }}

Facilitation team

  • {{ f.name }} {{ f.role }}
Chatham House rule The session is non-attribution. Mistakes raised during exercises are framed as learning opportunities, not compliance failures.
Programme overview · 1 of 4

Why ARETE exists

ARETE originates from a clearly identified problem, supported by evidence from the EDPS analysis of breach notifications and the 2024 Data Breach Management Awareness project. Four recurring patterns surfaced in how EUIBAs perform breach risk assessment:

1

Low maturity in risk analysis

Risk assessments submitted in breach notifications regularly fall below the expected standard — the surface of attack is under-defined, adverse effects are vague, and the rationale for the risk score is missing or implicit.

2

Risk centred on the organisation, not on data subjects

Organisational risk concerns crowd out the risk to data subjects — which is what Article 34 EUDPR actually requires controllers to assess.

3

High tolerance to risk

Controllers consistently lean toward under-evaluating risk, often to avoid the obligation to notify or to communicate. Some EUIBAs even use risk matrices that split "high risk" into notify / don't-notify paths — contradicting the three-tier framework in the law.

4

Inadequate communications to data subjects

Article 35 communications often lack the required elements (nature, consequences, mitigation, contact) and lean on overly technical or vague language that fails to empower the data subject.

The one message {{ COURSE_META.oneMessage }}
Programme overview · 2 of 4

What you'll learn

By the end of ARETE, you will be able to:

LO1

Differentiate organisational risk from data subject risk

You will distinguish between organisational impacts and adverse effects on data subjects, correctly identifying at least three specific data subject risks (identity theft, loss of control over personal data, reputational harm, …) that must be prioritised in an EUDPR-compliant assessment.

Addresses Finding 2.

LO2

Apply the EDPS risk assessment methodology with reasoned rationale

Following the pre-work and the guided scenario, you will apply the methodology to a breach scenario — identifying the key risks to data subjects, assigning a Low / Risk / High Risk score, and writing a rationale that maps the surface of attack to specific increasing or decreasing risk factors.

Addresses Findings 1 and 2.

LO3

Determine notification obligations

Given a complex breach use case, you will decide whether the breach requires notification to the EDPS under Article 34 and/or communication to data subjects under Article 35, justifying the decision with reference to the three-tier risk framework and the 72-hour deadline.

Addresses Finding 3.

These three objectives map directly to the four Kirkpatrick measurement levels collected through the platform: the pre-work diagnostic captures your baseline (LO1 + LO2), the closing knowledge check measures the learning gain, the action plan records the behavioural commitment (LO3), and the end-of-day feedback captures your reaction to the programme.

Before the workshop

Your pre-work readings {{ pf_prework_done_count }}/{{ pf_prework_total }} · diagnostic {{ pf_diagnostic_submitted ? '✓' : 'pending' }}

Four blocks. Total effort: ~30 minutes. Please complete before the workshop day — the first 30 minutes of the session activate this material rather than re-deliver it.

1

Read the essentials

~10 min

Five short readings curated from the reference library. Tick each as you finish.

2

Pre-work diagnostic ✓ submitted🔒 locked

~5 min

Five short risk-rating questions on simple cases. Your answers establish the baseline for the workshop's Level 2 measurement. The questions are kept simple on purpose — they prime you on the kind of judgement you will make in the room.

🔒 Your facilitator will open this survey when pre-work begins. Until then, focus on the readings above.

⚠ No "correct answer" feedback is shown at this stage — that comes during the workshop's pre-work activation. Please commit to a judgement on each item.

  1. Q{{ i + 1 }}. {{ q.stem }}
{{ pf_diagnostic_answered_count }} of {{ ARETE_DIAGNOSTIC.length }} answered
✓ Submitted at {{ prework_diagnostic.submittedAt }} — your baseline is captured. The reference key is included in your data export.
3

Scenario 1 — The Encrypted Gateway

~20 min

An 8-screen guided briefing of a realistic breach scenario. As you read, capture your scoring on the paper template. Open the briefing, walk through it at your own pace, and bring the completed template to the workshop.

📥 Download paper template

Expected band: Unlikely risk ⇄ Risk. The scenario is intentionally ambiguous — there's no single "right" answer. Your reasoning is what we will discuss in the workshop's opening.

4

Optional — bring your own incident

~5 min

Identify one breach or near-miss from your institution that you would like to discuss during the day. Anonymise it. You're not obliged to share — it's a prompt for your own thinking and a candidate example for the plenary debriefs.

Stored only in your browser (localStorage). Nothing is uploaded.

Workshop day

Scenario 2 — The Inter-Agency Data Leak

One in-room scenario delivered in three parts over the half-day. Your pre-work (Scenario 1) is the preparation. Materials below unlock when your facilitator shares the code at the start of Part A.

S2

Scenario 2 — The Inter-Agency Data Leak

~160 min · 3 parts

A multi-actor breach involving a third-party processor, sensitive data combinations, and a retention failure that compounds the case. You work it across three modes:

🔒 Unlocked at the start of Part A. Your facilitator will share the code (ARETE-S2).

📥 Download paper template
Part A

Roleplay 40 min

Three facilitators in role (Controller, DPO, IT Security Officer) re-enact the discovery meeting and model the methodology in voice. You observe. Take notes on which framings sound right and which feel off — those are the inputs for Part B.

Part B

Debrief & consolidation 30 min

Plenary discussion: name the framings you observed in Part A, map them to the methodology phases on the flipchart. The facilitators draw out where the roleplay was deliberately weak so the cohort spots the trap before it bites them in Part C.

Part C

Independent decision 70 min

New injects arrive. Your team applies the methodology, decides Art. 34 / Art. 35, drafts the four communication elements (nature · consequences · mitigation · contact). This is the Level 2 measurement artefact — copy the four blocks into your team's deliverable when you submit.

💡 Use the same assessment tool above — the wizard will guide you through the scoring and then expose the four communication textareas on the Result step.

Workshop day

Closing knowledge check

Eight multiple-choice questions covering the day's content, administered at the close of the workshop before the plenary debrief. Compared against your pre-work diagnostic, this gives the Level 2 measurement for the cohort.

KC

Closing knowledge check ✓ {{ knowledge_check.score }}/{{ ARETE_KNOWLEDGE_CHECK.length }} correct🔒 locked

~5 min · 8 questions

🔒 Your facilitator will open this near the end of the workshop. Unlike the diagnostic, you'll see the correct answer and a short explanation after submitting.

Read each question carefully. You will see the correct answer and a short explanation after submitting.

  1. {{ q.section }}
    Q{{ i + 1 }}. {{ q.stem }}
    {{ kcIsCorrect(q.id) ? '✓ Correct.' : '✗ Reference answer: ' + q.correct + '.' }} {{ q.explain }}
{{ pf_kc_answered_count }} of {{ ARETE_KNOWLEDGE_CHECK.length }} answered
✓ Submitted at {{ knowledge_check.submittedAt }} — score {{ knowledge_check.score }}/{{ ARETE_KNOWLEDGE_CHECK.length }}. Your learning journey is on the "Your action plan" page.
After the workshop

Your action plan

Your learning journey

From the baseline you set before the workshop to the closing knowledge check.

Pre-work baseline
{{ prework_diagnostic.score }} / {{ ARETE_DIAGNOSTIC.length }}
{{ pf_l2_baseline_pct }}%
+{{ pf_l2_delta_pp }} pp {{ pf_l2_delta_pp }} pp ±0 pp
Closing knowledge check
{{ knowledge_check.score }} / {{ ARETE_KNOWLEDGE_CHECK.length }}
{{ pf_l2_final_pct }}%

By topic (closing knowledge check)

{{ s.section }} {{ s.correct }} / {{ s.total }}
💪 Strongest {{ pf_l2_strongest_section.section }} ({{ pf_l2_strongest_section.correct }}/{{ pf_l2_strongest_section.total }})
📚 Revise {{ pf_l2_weakest_section.section }} ({{ pf_l2_weakest_section.correct }}/{{ pf_l2_weakest_section.total }})

The baseline was hidden during pre-work so it wouldn't bias your answers. Now that the workshop is over, you can compare them. A positive delta is a Level 2 learning gain in the Kirkpatrick framework — your team's collective gain is what the programme reports back to EDPS leadership.

📝

Your action plan ✓ submitted🔒 locked

Two commitments to write down before you leave. These are the most honest behaviour-change indicators the team collects on the day; they also seed the Level 3 follow-up survey three to six months later.

🔒 Your facilitator will open this at the close of the workshop.

✓ Submitted at {{ action_plan.submittedAt }}. Look at this again in 3 months when the follow-up survey arrives.
After the workshop

End-of-day feedback

L1

End-of-day feedback ✓ submitted🔒 locked

~5 min

A short reaction form covering content, methods, and facilitation. Eleven 1-to-5 ratings and three open questions. The "confidence in applying" items are the strongest early predictor of Level 3 outcomes — your honest answer is more useful than a polite one.

🔒 Your facilitator will open this just before you leave.

{{ group }}

1
Strongly disagree		2345
Strongly agree
{{ item.text }}
{{ pf_reaction_answered_count }} of {{ ARETE_REACTION.likert.length }} Likert items rated
✓ Submitted at {{ level1_reaction.submittedAt }}. Thank you.
After the workshop

Additional practice — 7 EDPB worked examples

Seven additional breach scenarios from the EDPB and EDPS guidelines. Each one has an established expected outcome — apply the methodology and compare your reasoning against the reference rationale.

+7

Additional practice — 7 EDPB worked examples

~15 min each

Sent by email roughly one week after the workshop. You will apply the methodology to seven additional cases from the EDPB and EDPS guidelines, each with an established expected outcome you can compare your reasoning against.

Unlocked. Choose any case to begin:

Resources

Reference library

Materials to consult before, during, and after the workshop. Six tabs: About ARETE · Glossary · EUDPR · EDPB Guidelines 9/2022 · EDPS Guidelines (Dec 2018) · Methodology primer.

The same library is reachable from inside the pre-work briefing and inside any open scenario — look for the 📚 Reference library button in the top bar of every screen.

Resources

Frequently asked questions

{{ item.q }}
Resources

Contact

For questions about the programme, schedule, or pre-work, reach the facilitation team at {{ COURSE_META.contactEmail }}.

ARETE training tool · for instructor-led delivery only
Facilitator only · Scenario brief

Scenario 1 — The Encrypted Gateway

The individual pre-work exercise: a consultant's encrypted laptop is stolen. Trainees work it at home on the paper template through an 8-screen guided briefing, then submit the pre-work diagnostic. It is ambiguous by design — strong arguments exist for both Unlikely risk and Risk. The goal is a defensible written rationale, not a single "correct" verdict.

Mode
Individual · home · pre-work
Difficulty
1 / 3
Unlock
ARETE-S1 (auto)
Expected band
Unlikely risk ⇄ Risk
Data subjects
~150 external experts
Deliverable
Paper template + diagnostic

How it flows — from invitation to the room

Pre-work email+ paper template Guided briefing8 screens · self-paced Capture on paperfirst-pass assessment Diagnosticbaseline · no feedback Workshop 09:00activation, not re-teach

Gold = before the day (at home); navy = in the room. Trainees should arrive having completed every box up to the diagnostic.

The case in 30 seconds

An external consultant's personal laptop is stolen in an opportunistic home burglary. It holds a local copy of ~150 external experts' contact data (name, professional email, affiliation; phone numbers added later — see the inject). BitLocker is enabled with a 20+ character passphrase; the MDM remote-wipe command was sent but is pending because the device has not reconnected. Backups exist (no availability loss). No special-category data.

Why it is ambiguous — the two defensible readings

Toward "Unlikely risk" — no EDPS notification
  • BitLocker + strong passphrase → data unintelligible
  • Opportunistic burglary (other electronics taken) — not targeted
  • Backups exist — no availability issue for the controller
  • No special-category data
Toward "Risk" — notify the EDPS
  • Remote wipe never executed — device may stay offline indefinitely
  • Encryption is intact today but not guaranteed forever
  • Inject: direct phone numbers were also exposed
  • Device is in an unknown actor's hands, offline
⚖ No single canonical answer — assess the written rationale, not the verdict.

The midway inject (Day 1, 14:00 UTC)

The MDM confirms the laptop has not connected to any network since the theft — the wipe cannot complete while it stays offline. Separately, the dataset also included the experts' direct phone numbers (added for logistics, outside the original spec). Prompt: does this change your assessment, and why?

How to facilitate the 09:00–09:25 activation

  1. Recap, do not re-teach. Ask 2–3 trainees for their band and one reason. The room should not be unanimous — surface the split.
  2. Compare to the baseline. The diagnostic is a Level-2 baseline; do not reveal "correct" answers — use it to show the spread of judgement.
  3. Draw out the three hinges: (a) when does Art. 34 "awareness" start — at detection, or when the DPO confirms personal data was involved? (b) is encryption a guarantee or a time-bound mitigation? (c) what did the inject change?
  4. Land the one-message: risk to data subjects drives the decision, not embarrassment to the institution.

Discussion blocks on the paper template

  • Block 1 — Immediate actions & internal information flow: technical containment; the notification chain; the precise moment of "awareness" for the 72-hour clock.
  • Block 2 — Breach identification: is this an Art. 3(16) breach? which of C/I/A? the consultant's status as processor and the role of the DPA.
  • Block 3 — Initial risk assessment: choose Unlikely risk / Risk / High risk and justify with specific factors; what information is still missing.

Model answer & teaching note

Instructor mode demonstrates the optimistic stance → LOW (trust the encryption: L1=1a "strongly encrypted" + crypto-effective downgrade; no EDPS notification, Art. 35(3)(a) exemption). The L1=4 stance → RISK / High risk (treat the encryption as defeatable while the device is unrecovered) is equally defensible. Optimistic-path scoring: L2=2, L3=1, I1=2, I2=1, harms empty with "harms taxonomy reviewed" ticked.

📦 Deliverables (per trainee)
  • Completed paper template (3 blocks + inject response)
  • Submitted pre-work diagnostic (baseline, locked)
  • Optional: one own-incident note to discuss
⚠ Facilitation watch-outs
  • Trainees who read "encrypted" and stop thinking — push on the pending wipe
  • Treating "encrypted = automatically LOW" as a rule
  • Confusing detection with "awareness" for the 72h clock

Handouts: ARETE_S1_paper_template.docx · ARETE_S1_workshop_pack.docx · ARETE_shared_reference.docx.

Facilitator only · Scenario brief

Scenario 2 — The Inter-Agency Data Leak

The only in-room scenario, delivered in three parts (roleplay → debrief → team decision). A phishing-driven cloud compromise exposes HR data for 15,000+ current and former employees and candidates. Expected outcome: HIGH RISK — notify the EDPS within 72h and communicate to data subjects under Art. 35.

Mode
In-room · teams · 3 parts
Difficulty
3 / 3
Unlock
ARETE-S2 (reveal on the day)
Expected outcome
HIGH RISK · Art. 34 + 35
Data subjects
15,000+ · 3 groups
Deliverable
Classification + Art. 35 draft

The attack chain

Phishing emaildoubled-a domain Credentials enteredMFA disabled Attacker loginforeign IP / VPN Lateral movement3 mailboxes 50 GB exfiltratedencrypted —DLP blind +5h: UEBA alertaccount blocked,contained

Data exposed: current & former employees — name, address, national ID, bank account, payroll; candidates — name, email, phone. The national-ID + bank combination is the §113-class identity-theft harm that drives HIGH RISK. The 5-hour detection gap is the institutional control failure to surface.

How the three parts run

09:00–09:25
Pre-work activation (S1)
09:25–10:05
Part A — Roleplay
10:05–10:35
Part B — Debrief
10:35–10:50
Break + inject #2
11:00–12:10
Part C — Teams (inject #3 @ 11:30)
12:10–13:00
Closing KC + plenary
Roleplay casting (rehearse at least twice — not improvised): Controller — Anna Bella Horvath · DPO — Laura Cerrato · IT Security Officer — Jose Maria Gonzalez Fraile.

Part-by-part

Part A — Roleplay · 09:25–10:05 · demonstration

Three facilitators act the breach meeting in role. The point is to demonstrate the framing tension — the Controller worried about institutional reputation, the IT Officer about the technical fix, the DPO pulling the conversation back to risk to data subjects. A mid-scene inject lands new facts. Trainees observe — they do not decide yet.

Part B — Debrief & methodology consolidation · 10:05–10:35

Metalinguistic debrief of the roleplay: name the framing errors the room just saw, then build the methodology on the flipchart — CIA, likelihood/impact, the three-tier outcome, and where Art. 34 vs Art. 35 sit. This is the bridge from "watching" to "doing".

Part C — Independent team decision · 11:00–12:10

Teams work the case on the tool: classify, justify, decide Art. 34 / Art. 35, and draft the four communication elements. Inject #2 (retention violation + press inquiry) is delivered at set-up; inject #3 is facilitator-delivered at 11:30. Mixed-discipline teams mirror a real breach-response team.

The inject (Day 2, 09:00 UTC)

Retained former-employee data (beyond the 7-year limit) is a separate storage-limitation violation; a journalist has contacted the spokesperson; thousands of access requests are flooding the inbox. Prompts: does the retention violation belong in the same notification? how does the press change timing? how does the volume of requests change the operational plan?

The four discussion blocks

  • Block 1 — Risk owners & information-security risks and the treatment plan.
  • Block 2 — Roles & communication: DPO / LCO / IT / senior management; internal and external communication plans.
  • Block 3 — Risk to data subjects & notification: distinguish the three groups; categorise under the three-tier framework; thresholds for notifying the DPO, the EDPS, and the data subjects; evidence needed.
  • Block 4 — Article 35 communication: draft the four elements for current employees — nature of the breach, likely consequences, mitigation steps, contact point.

Model answer & teaching note

HIGH RISK. L=4, I=4. §113-class harms: identity theft / fraud, financial loss, reputation damage. Notify the EDPS within 72h and communicate under Art. 35(1) — no Art. 35(3) exemption applies (no encryption; the institution holds the contact details). Key teaching point: separate the breach itself (HIGH RISK) from the accountability questions the injects raise (the storage-limitation violation and the press inquiry), and decide whether the retention violation belongs in the same Art. 34 notification.

📦 Deliverables (per team)
  • Risk classification + written justification
  • Art. 34 notification decision
  • Art. 35 four-element draft (nature / consequences / mitigation / contact)
  • Individual closing knowledge check
⚠ Facilitation watch-outs
  • Run the Risk-vs-High-Risk debate without shutting it down
  • Keep risk to data subjects central — not institutional reputation
  • The §113 harm class is what flips L4∧I3 to HIGH RISK
  • Don't let the injects derail the core notification decision

Handouts: ARETE_S2_paper_template.docx · ARETE_S2_workshop_pack.docx (inject cards) · ARETE_shared_reference.docx.

Facilitator

Cohort dashboard {{ arete_dashboard && arete_dashboard.cohort_id || '' }}

Live snapshot of how the cohort is progressing. Updates every 10 seconds and as soon as any trainee submits a questionnaire.

Loading cohort data…

⚠ {{ arete_dashboard_error }}

{{ arete_dashboard.counts.connected_attendees }}online now
{{ arete_dashboard.counts.total_attendees }}attendees
{{ arete_dashboard.counts.prework_readings_complete }}finished pre-work readings
{{ arete_dashboard.counts.diagnostic_submitted }}diagnostic submitted
{{ arete_dashboard.counts.kc_submitted }}knowledge check submitted
{{ arete_dashboard.counts.action_plan_submitted }}action plan submitted
{{ arete_dashboard.counts.reaction_submitted }}reaction submitted

Announce to the cohort

{{ arete_broadcast_status }} {{ arete_broadcast_input.length }} / 500 · Ctrl+Enter to send

Per-attendee progress

Username Online Role Last seen Readings L2 base L2 final Plan L1
{{ u.username || u.id }} {{ u.role }} {{ u.last_seen_at ? u.last_seen_at.slice(0, 16).replace('T', ' ') : '—' }} {{ u.prework.readings_done }}/{{ u.prework.readings_total }} {{ pf_dashCell(u, 'prework_diagnostic') }} {{ pf_dashCell(u, 'knowledge_check') }} {{ pf_dashCell(u, 'action_plan') }} {{ pf_dashCell(u, 'level1_reaction') }}

Pre-work diagnostic — answer distribution

No submissions yet. Average score: {{ arete_dashboard.stats.diagnostic.avg_score }} / {{ ARETE_DIAGNOSTIC.length }} (across {{ arete_dashboard.stats.diagnostic.submitted }} submissions).

Q{{ i + 1 }}. {{ q.stem }}
{{ opt.label }}✓ reference {{ pf_dashCount(arete_dashboard.stats.diagnostic.per_question[q.id], opt.value) }}

Closing knowledge check — answer distribution

No submissions yet. Average score: {{ arete_dashboard.stats.knowledge_check.avg_score }} / {{ ARETE_KNOWLEDGE_CHECK.length }} (across {{ arete_dashboard.stats.knowledge_check.submitted }} submissions). The Level 2 delta = this average − diagnostic average.

Q{{ i + 1 }}. {{ q.stem }}
{{ opt.value }}. {{ opt.label }}✓ correct {{ pf_dashCount(arete_dashboard.stats.knowledge_check.per_question[q.id], opt.value) }}

Action plan — commitments

No action plans submitted yet.

  • {{ a.display_name || a.user_id }}
    Will do differently: {{ a.do_differently || '—' }}
    Will talk to: {{ a.person_to_talk || '—' }}

End-of-day reaction — average ratings

No reaction surveys submitted yet.

ItemAverage (1-5)
{{ item.text }} {{ arete_dashboard.stats.reaction.per_item_average[item.id] != null ? arete_dashboard.stats.reaction.per_item_average[item.id] : '—' }}
📥 Download cohort export (JSON) Generated at {{ arete_dashboard.generated_at.slice(11, 19) }} UTC.

Facilitator solution keys

Model answers and pedagogical guidance for the in-room debrief. Confidential — do not share with trainees.

📥 Scenario 1 — The Encrypted Gateway (Word) 📥 Scenario 2 — The Inter-Agency Data Leak (Word)
{{ train_scenario.title }}
Screen {{ training_prework_step }} of 8

Welcome to your pre-work exercise

You are about to walk through {{ train_scenario.title }} step by step. This is your pre-work for the in-person ARETE workshop.

📋 What you'll do on these screens

  • Read the case one piece at a time — context, technical findings, then a midway update.
  • Capture your reading on the paper template as you go. We've put short prompts at the bottom of each screen so you know what to write.
  • At the end, you'll have a complete first-pass risk assessment in your own words.

📥 Before you start — print the paper template

You will need the paper template open in front of you as you read. Download it here if you haven't already.

🎯 The one-message to keep in mind

Risk to data subjects — not risk to the institution — drives breach notification decisions. As you read, keep asking yourself: what does this mean for the 150 external experts whose data is on that laptop?

Estimated time for the briefing: 20–30 minutes. You can stop and resume at any time.

The context

Before we get to the incident itself, here is who's involved and what data is being processed.

The institution

EU Connect is an EU institutional body. It runs UnionGate, an initiative that periodically hosts technical workshops bringing together external experts. EU Connect has well-defined IT security procedures, a Data Protection Officer (DPO), a Local Cybersecurity Officer (LCO), and a documented incident response procedure.

The processor

EU Connect uses an external consultant for specific workshop coordination tasks. The consultant operates under a service contract with a Data Processing Agreement (DPA) under Art. 29 EUDPR. The DPA requires:

  • Full-disk encryption on any device used to access or store EU Connect data.
  • Use of EU Connect's VPN for remote system access.
  • No local storage of personal data beyond what is strictly necessary; deletion within 30 days of task completion.
  • Immediate notification to EU Connect IT Security of any security incident.

The data

About 150 external technical experts — names, professional email addresses, and institutional affiliations — invited to a recent UnionGate workshop. No special-category data (no health, no political, no financial). The dataset is also retained on EU Connect's secured internal servers (i.e. a backup exists).

✍️ Capture on your paper template

Find Step 4 · Whose data was affected? in your template. What is the DS category? Note also: who is the controller, and who is the processor in this case? Is this a personal data breach as defined in Art. 3(16) EUDPR? You can consult the Reference library from the hub if you need to look up these definitions.

The incident — Day 1

Here is the chronology of how the institution learned about the incident.

✍️ Capture on your paper template

Find Step 1 · When did this happen? in your template. Note the key dates. Critical question: at what precise moment does EU Connect become "aware" of a personal data breach for the purposes of the 72-hour notification deadline under Art. 34(1) EUDPR? Justify your answer in one or two sentences.

(Tip from the Reference library: "awareness" means reasonable degree of certainty that a security incident has resulted in personal data being compromised — NOT just the moment IT first sees an alert.)

Initial technical findings (Day 1, 10:30 UTC)

The IT Security team has completed its first technical assessment. Here is what they have established so far.

Device security

  • The laptop had full-disk encryption (BitLocker) enabled, as required by the DPA.
  • The consultant confirms they used a strong, unique passphrase (20+ characters, mixed case, numbers and symbols, not a dictionary word, not reused for other services).
  • The IT Security team has issued a remote-wipe command via the Mobile Device Management (MDM) platform. The command is marked "sent". Execution is pending — it requires the device to connect to the internet, which it has not done since the theft.

Data involved

  • The laptop contained a local copy of the workshop dataset: names, professional email addresses, and institutional affiliations of approximately 150 external experts.
  • The DPA permits temporary local storage for justified tasks; it requires deletion within 30 days of task completion. The workshop took place 5 days ago; the dataset had not yet been deleted.
  • No special-category data on the device.

Availability and backups

  • EU Connect maintains up-to-date backups of all project data on internal secured servers. The data is not lost to EU Connect — no permanent availability issue for the controller.

Threat assessment

  • No evidence the passphrase has been compromised; no brute-force attempts on other accounts; no phishing linked to the burglary; no known vulnerabilities in the BitLocker implementation on this device's OS version.
  • The nature of the theft (burglary from a locked home office; other electronics also taken) suggests opportunistic theft rather than a targeted cyber-attack to acquire data.
  • Police report confirms forced entry through a window. No forensic evidence the laptop was specifically targeted.

✍️ Capture on your paper template

Now you have the technical facts. Find these steps in your template and fill them in based on what you've read:

  • Step 2 · CIA dimensions — which of Confidentiality / Integrity / Availability are in scope?
  • Step 3 · Root cause — what category?
  • Step 6 · L1 — can the data be read by whoever has it? Think carefully — the encryption is intact today, but the remote wipe is pending. What stance do you take?
  • Step 7 · L2 — where did the data end up?
  • Step 8 · L3 — accidental or deliberate?

Don't fill in I1 / I2 / harms yet — there's more to come on the next screen.

Pause — complete your first-pass scoring

You now have everything you need for an initial assessment. Take 5–10 minutes to fill in the remaining steps on your paper template.

✍️ Complete these on your template now

  • Step 9 · I1 — how sensitive is the data? (names + professional emails + institutional affiliations)
  • Step 10 · Volume — how many people? (150)
  • Step 11 · I2 — what consequences could the affected people experience?
  • Step 12 · Harms — which catalogued harms plausibly apply?
  • Step 13 · Containment — what's been done so far?

Then turn to the Result computation page of your template and work out:

  • L = MAX(L1, L2, L3) = ___
  • I_base = MAX(I1, I2) = ___, plus the I0 modifier = ___
  • The matrix output (LOW / RISK / HIGH RISK) — consult the Reference library's Primer if you need the matrix rules.
  • Your initial assessment in your own words: which risk level, and what's the one-paragraph rationale?
  • Your initial notification decision: Notify EDPS under Art. 34? Communicate to data subjects under Art. 35?

Take your time. When you're done, click Continue — new information will arrive that may change your assessment.

⚠ NEW INFORMATION — Day 1, 14:00 UTC

Update from IT Security

Several hours after your first assessment, IT Security comes back to you with two updates.

1. Remote wipe status. The MDM platform confirms that the stolen laptop has NOT connected to any network since the theft. The remote wipe command remains unexecuted. IT Security assesses that if the device remains offline indefinitely, the wipe cannot be completed.

2. Dataset scope. The workshop coordinator reports that the dataset on the laptop also included the experts' direct phone numbers, which were added to a separate column for logistical coordination. This was not part of the original dataset specification — but it was on the device when it was stolen.

✍️ Revise your paper template

This update changes two things you might have scored:

  • The encryption defence is weaker than you thought — if the device stays offline forever, the wipe never executes. Someone could keep the device for years and try to defeat the encryption with future tools. Does this change your L1 stance?
  • The data set is broader than you thought — phone numbers are direct contact identifiers. Does this change your I1, your harms taxonomy, or your I2?

Update your scoring on the template. Cross out the old values and write the new ones next to them — this gives you a record of how your thinking evolved (the workshop facilitator will want to see this).

Now write your revised assessment: did the level change? Did your notification decision change?

Discussion questions for the workshop

Below are the questions we'll discuss in the workshop. You don't need to answer them all in detail — pick the ones that matter most to you, and write a sentence or two per block on the back of your template. Bring your notes to the workshop.

{{ block.title }}

  1. {{ q }}

✍️ Pick 2–3 questions you find most challenging

Write a short answer for each one (one or two sentences). These are the questions we'll dig into during the workshop debrief — your written attempt is your starting position.

You're ready for the workshop 🎓

Well done. You've worked through the case, scored it twice (before and after the inject), and answered the discussion questions. Here's what to bring with you to the in-person workshop:

📋 What to bring

  • Your completed paper template with both the first-pass and revised scoring visible.
  • Your written rationale (one paragraph per scoring round) — in your own words, not copy-pasted.
  • Your answers to 2–3 discussion questions from screen 7.
  • Any specific question you'd like to raise during the introduction session.

🗓️ What happens at the workshop

  • The facilitator will demonstrate the same scenario in the assessment app, walking through the methodology step by step.
  • You'll compare your paper scoring with the facilitator's. We'll discuss where teams agreed, where they diverged, and why.
  • A second scenario will be revealed (it's currently locked in the hub) — that one is the team exercise.

💡 If you want to consult anything before the day

The Reference library on the pre-work hub remains open. Skim the EUDPR articles, the §113 harm class explanation, or the Risk-calculation primer if anything is unclear.

See you at the workshop!