Product Risk Assessment — Level 1A

Scope

Defining what's in scope is the foundation of any risk assessment. Vague boundaries lead to missed obligations.

Q1. What are you assessing?

Select one

A. A new product or service

B. A new feature or significant change to an existing product

C. An existing product, reviewing it for the first time

D. A third-party tool or service your organization is adopting or already uses

E. A portfolio or program of multiple products

This tells us what you are bringing to the assessment. It shapes which questions are relevant and how we frame the findings.

Q2. Where are you in the process?

Select one

A. Early idea — no design or build decisions made yet

B. Designing — working out what to build, engineering not yet engaged

C. Building — engineering is engaged and implementation decisions are being made

D. Already live — this is a retrospective review

E. Not sure

This tells us how far along you are. The earlier you are, the more the findings are about decisions you still need to make. If you are reviewing something already live, the findings are about confirming what is in place.

Q3. How is your product or service delivered?

Select all that apply

Automated systems, agentic AI, and physical products each trigger distinct regulatory regimes — including EU AI Act conformity obligations and product safety certification — on top of general data protection law. The delivery type is the first filter that determines which rules apply.

The way your product is delivered shapes the nature of potential harms. A physical device that acts on the world has different risk characteristics than a web app or a human-delivered service. Select everything that applies — many products combine multiple delivery types. If you are unsure, start with your primary delivery type and add any secondary ones.

Q4. In which countries or regions will your product be available or used?

Select all that apply

A. United States

B. Canada

C. United Kingdom

D. European Union / European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway)

E. Global — not geographically constrained

F. Not yet decided

Data protection and online safety laws apply based on where the people affected by your product are located — not where your company or servers are based. Select every country or region that applies. If you are not sure yet, select "Not yet decided" — this is itself a risk signal.

Q5. Will your product allow users to create, upload, or share any form of content?

Select all that apply

Allowing users to create or share content triggers mandatory safety obligations under the UK Online Safety Act and EU Digital Services Act that must be in place before users can access the product — not added after launch. The type of content (public posts, file uploads, messaging) determines which specific obligations apply and how demanding they are.

A. Yes — users can post or share content that is publicly visible (e.g. social posts, public profiles, open forums)

Safety Risk high

This answer indicates a higher risk level in this area.

B. Yes — users can send content in private or group messages (e.g. direct messages, group chats, private channels)

Safety Risk high

This answer indicates a higher risk level in this area.

C. Yes — users can upload files, images, video, or audio (e.g. photo uploads, document sharing, video posts)

Safety Risk high

This answer indicates a higher risk level in this area.

D. Yes — users can post reviews, ratings, or feedback visible to other users

Safety Risk high

This answer indicates a higher risk level in this area.

E. Yes — users can create or publish content that was generated by AI tools (e.g. AI-written text, AI-generated images) — this is about content your users share, not about your product's own AI features

Safety Risk medium

This answer indicates a higher risk level in this area.

F. Yes — users can interact with or respond to other users in real time (e.g. live chat, comments, reactions)

Safety Risk high

This answer indicates a higher risk level in this area.

G. No — the product does not allow users to create or share content

H. Not yet decided

User-generated content means anything your users can create, upload, or share through your product — posts, messages, files, reviews, reactions. Select every type that applies. If your users can only post reviews, you do not also need to select "publicly visible content" unless they can also post other types of public content.

Q6. Which of the following areas has a named person responsible for it in your organization?

Select all that apply

Specific regulations require named individuals to own compliance decisions — the UK Online Safety Act makes senior manager accountability a personal legal obligation, and GDPR requires a documented Data Protection Officer appointment at certain thresholds. Without clear ownership, the obligations this assessment surfaces are likely to go unaddressed during design and build.

A. Privacy and data protection (e.g. Data Protection Officer, Chief Privacy Officer, or equivalent)

B. Online safety and trust (e.g. Trust and Safety Lead, Online Safety Manager, or equivalent)

C. AI governance and responsible AI (e.g. AI Ethics Lead, Responsible AI Officer, or equivalent)

D. Children's safety and welfare (e.g. Children's Safety Lead, Child Protection Officer, or equivalent)

E. Information security (e.g. Chief Information Security Officer, Security Lead, or equivalent)

F. None of the above — these areas do not have named responsible people

Privacy Risk highSafety Risk mediumAI Risk medium

This answer indicates a higher risk level in this area.

G. I'm not sure — I need to find out

Privacy Risk medium

This answer indicates a higher risk level in this area.

H. This is a personal project, sole trader, or very small team — formal governance roles don't apply yet

Privacy Risk medium

This answer indicates a higher risk level in this area.

Each of these areas carries specific legal or regulatory accountability obligations. One person can cover multiple areas — what matters is that each area has someone named. If your product is early stage or a small team, select everything that currently has someone responsible, even informally.

Q7. Which sector or deployment context best describes your product?

Select all that apply

Operating in a regulated sector adds mandatory requirements on top of general data protection and AI law — and in sectors like health, financial services, and legal, regulatory approval may be required before the product can legally operate. Misidentifying your sector is one of the most expensive mistakes in product development: the obligations are different in kind, not just degree.

The sector your product operates in determines which specific regulations apply — beyond general data protection and AI law. Some sectors have mandatory regulatory approval processes before launch. If your product operates across multiple sectors, select all that apply. If none of these fit, select general commercial.