Risk Assessment

Risk management is a widely used tool across various industries, and in the context of Data Protection Impact Assessments (DPIAs), its focus is specifically on risks to data subjects rather than the risks faced by the data controller. Article 35(7)(c) of the GDPR mandates an assessment of “risks to the rights and freedoms of data subjects.” Recital 75 expands on this, clarifying that risks include physical, material, and non-material damage.

The WP29 (now the EDPB) emphasizes that risks in a DPIA go beyond privacy concerns and can impact a broad range of fundamental rights, such as:

  • Freedom of speech
  • Freedom of thought
  • Freedom of movement
  • Prohibition of discrimination
  • Right to liberty, conscience, and religion

To evaluate these risks, WP29 outlines three primary sources of risk to personal data:

  1. Illegitimate Access – Unauthorized access to personal data.
  2. Undesired Modification – Alteration of personal data in an unapproved way.
  3. Disappearance of Data – Data loss or destruction.

Conducting the Risk Assessment

The risk analysis process involves:

  1. Identifying risk sources – Determining potential threats to data subjects.
  2. Estimating impact and probability – Assessing how significant a risk is and how likely it is to occur.
  3. Determining risk levels – Categorizing risks based on severity to decide if further mitigation is required.

Recital 76 of the GDPR highlights that risk should be evaluated through an objective assessment, but no standardized risk evaluation framework is prescribed. Each organization is free to choose its own methodology, as long as it is applied consistently. The Belgian Supervisory Authority has explicitly stated that organizations must define their risk assessment methodology and ensure uniform application.

Despite the flexibility in approach, there is no predefined threshold in the GDPR or WP29 guidance for what qualifies as “high risk,” which would trigger a mandatory consultation with the Supervisory Authority (SA). Organizations must therefore carefully document their risk assessments to demonstrate compliance and justify their decisions.