Risk Mitigation

The final operational phase of a Data Protection Impact Assessment (DPIA) involves identifying and implementing risk mitigations to reduce risks to data subjects’ rights and freedoms. Under Article 35(7)(d) of the GDPR, this phase requires outlining:

“The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation.”

The Risk Treatment Process

In ISO 31000, this phase is referred to as “risk treatment,” where organizations weigh the cost of mitigation measures against the reduction in risk. However, WP29 guidance emphasizes that risk assessments must be made from the perspective of data subjects rather than the data controller.

A key concept in this phase is “residual risk”—the risk that remains after mitigation measures have been applied. The ISO Guide 51 framework describes an iterative process, where risks are re-evaluated after each mitigation step. Although the WP29 DPIA guidance does not explicitly mention iterative risk reduction, it does acknowledge residual risk and requires that risk be reassessed after mitigations.

Determining Acceptable Risk Levels

  • No “Zero Risk” Standard: The Spanish SA has made it clear that achieving zero risk is impossible in data protection risk management. The goal is not to eliminate all risks but to reduce them to an acceptable level.
  • No Defined Thresholds: WP29 does not provide objective measures for what constitutes “sufficient” risk mitigation, leaving the judgment to the data controller.
  • Supervisory Authority (SA) Involvement: If residual risk remains high after mitigation measures, organizations must consult with the SA.

Key Takeaways

  1. Risk mitigation is an iterative process—risks must be reassessed after applying security and compliance measures.
  2. Mitigation must be from the perspective of data subjects, not just the organization.
  3. There is no predefined threshold for when risk is considered sufficiently mitigated—this is at the controller’s discretion.
  4. Consultation with the SA is required if residual risks remain high.
  5. Cost cannot be a sole justification for failing to implement effective mitigations (Belgian SA ruling).

This final phase of the DPIA ensures that risk levels are reduced to an acceptable threshold, recognizing that some level of risk will always remain.