In practice, we are coming across some confusion about the GDPR’s risk-based approach to compliance. It is important not to confuse this compliance concept with the risk facing your business or organisation.
Risk is the possibility of something happening which may cause loss, harm or damage, and it is usually assessed in terms of likelihood x severity.
In a GDPR compliance context, and where a risk-based approach is relevant, this means risk to the rights of individuals that may result from you processing their personal data. In other words, risk to individuals, not to your business or organisation.
GDPR compliance obligations that refer to risk include accountability measures, security measures, data breach notification, Data Protection Impact Assessment (DPIA), and privacy by design.
While the term “risk” is not defined in the GDPR, Recital 75 provides useful guidance.
When undertaking risk assessment, risk for GDPR compliance purposes (risk to individuals) must be understood and distinguished from the important operational risks affecting your organisation (risk to you) including possible regulatory sanctions, reputational harm and/or legal action that might result from GDPR non-compliance.