In evaluating whether a personal data breach is likely to result in a risk to the rights and freedoms of a data subject under subsection (3), a data controller and the Commission may take into account —

(a) the likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the personal data breach, including any encryption or de-identification of the data ;

(b) any subsequent measures taken by the data controller to mitigate such risk; and

(c) the nature, scope and sensitivity of the personal data involved.