Energy Performance of Buildings (Scotland) Regulations 2025: data protection impact assessment
Data protection impact assessment (DPIA) produced as part of our intention to lay updated Energy Performance Certificate (EPC) regulations in October 2025. This DPIA has considered the evidence to understand any potential data protection outcomes from the reform of EPCs.
Risk assessment matrix
|
Risk Profile |
Rare likelihood |
Low likelihood |
Medium likelihood |
High likelihood |
Very high likelihood |
|---|---|---|---|---|---|
|
Very high impact |
50 |
100 |
150 |
200 |
250 |
|
High impact |
25 |
50 |
75 |
100 |
125 |
|
Medium impact |
10 |
20 |
30 |
40 |
50 |
|
Low impact |
5 |
10 |
15 |
20 |
25 |
|
Negligible impact |
1 |
2 |
3 |
4 |
5 |
Definitions
Remote: 1
Likelihood: Can’t believe this would happen – will only happen in exceptional circumstances (5-10 years)
Unlikely: 2
Likelihood: Not expected to happen but definite potential exists (2-5 years)
Possible: 3
Likelihood: May occur occasionally, has happened before on occasions – reasonable chance of occurring (annually)
Likely: 4
Likelihood: Strong possibility that this could occur – likely to occur (quarterly)
Almost certain: 5
Likelihood: This is expected to occur frequently, in most circumstances – more likely to occur than not (daily/ weekly/ monthly)
Negligible: 1
Impact: No real impact on individuals
Low: 5
Impact: Minor impact on individuals – minor distress or inconvenience
Medium: 10
Impact: Moderate impact on individuals
High: 25
Impact: Significant impact on individuals
Very high: 50
Impact: Extreme impact on individuals – risk to life or personal safety, serious financial impacts
Contact
Email: EPCenquiries@gov.scot