Risk management is a widely used tool across various industries, and in the context of Data Protection Impact Assessments (DPIAs), its focus is specifically on risks to data subjects rather than the risks faced by the data controller.
Article 35(7)(c) of the GDPR mandates an assessment of “risks to the rights and freedoms of data subjects.” Recital 75 expands on this, clarifying that risks include physical, material, and non-material damage. The WP29 (now the EDPB) emphasizes that risks in a DPIA go beyond privacy concerns and can impact a broad range of fundamental rights, such as:
Unauthorized access to personal data.
Alteration of personal data in an unapproved way.
Data loss or destruction.
The risk analysis process involves:
Recital 76 of the GDPR emphasizes that risk must be evaluated through an objective assessment, yet it does not prescribe a specific framework. Organizations are encouraged to establish and consistently apply their own methodology, ensuring transparency and accountability in every DPIA process. The Belgian Supervisory Authority further notes that each organization must formally define its risk assessment approach and apply it uniformly across all processing operations.
Neither the GDPR nor the WP29 guidance defines a fixed threshold for what constitutes “high risk.”
Organizations must therefore carefully document their risk evaluations, explain how they determined risk levels, and justify decisions made during each DPIA.
Comprehensive records provide evidence of compliance and demonstrate accountability to Supervisory Authorities.