Risk assessment and data protection planning

Controllers have a responsibility to assess the risks relating to the processing of personal data every time they are about to process personal data.

A risk assessment allows controllers to plan the steps they need to take in order to control risks and ensure the appropriate processing of personal data in advance. Controllers also need to ensure that their data protection principles address the risks associated with data processing effectively.

Risk assessments pursuant to the General Data Protection Regulation must be carried out from the perspective of the data subject, which means that controllers must assess

  • which freedoms and rights of data subjects could be at risk and
  • what kind of damage could be incurred by data subjects from the envisaged processing of their personal data.

Damage can be physical, material or non-material.

Damage resulting from the processing of personal data includes, for example, the risk of

  • becoming a victim of fraud
  • financial losses
  • social disadvantage, such as damage to reputation
  • unauthorised reversal of pseudonymisation.

A controller’s clear understanding of its procedures for processing personal data forms a good foundation for risk assessment. The assessment must take into account the nature, scope, context and purposes of the processing of personal data.

Once the risks posed by the processing of personal data to data subjects’ rights and freedoms have been identified, the next step is to evaluate the severity and likelihood of each risk and the resulting damage. 

Identifying risks is especially important when controllers are planning technical and organisations measures designed to ensure data protection during the processing of personal data. Technical and organisational measures refer to, for example, instructions given to staff to ensure data protection, internal checks on use, the security of information systems, data encryption and other security measures.

Analysing risks is a continuous process: the adequacy of measures relative to the risks involved in processing needs to be reviewed at regular intervals and changes made if necessary. Controllers also have a duty to demonstrate their compliance with a risk-based approach.

Data protection impact assessments are one tool for analysing risks.  Impact assessments are only required if the envisaged processing of personal data poses a high risk to people’s rights and freedoms. However, controllers can carry out an impact assessment on all procedures that involve processing personal data.