In practice, we are coming across some confusion about the GDPR’s risk-based approach to compliance. It is important not to confuse this concept with risks facing your business or organisation.
Risk is the possibility of something happening which may cause loss, harm or damage, and it is usually assessed in terms of likelihood x severity.
In a GDPR compliance context, and where a risk-based approach is relevant, this means risk to the rights of data subjects that may result from you processing their personal data. In other words, risk to individuals, not to your business or organisation.
GDPR compliance obligations that refer to risk include accountability measures, data security measures, data breach notification, Data Protection Impact Assessment (DPIA), and privacy by design.
While the term “risk” is not defined in the GDPR, Recital 75 provides useful guidance.
When undertaking risk assessment under GDPR, the risk to individuals must be clearly understood and distinguished from the operational risks affecting your organisation, including possible regulatory sanctions, reputational harm and/or legal action that might result from GDPR non-compliance.