GDPR
Risk assessment in accordance with GDPR
Companies must carry out a risk assessment in accordance with the GDPR before starting a new processing of personal data, introducing new IT systems or planning new technologies that process personal data.
Risk assessment: Starting from the perspective of the data subjects
When carrying out a risk assessment, the company should consider the risk of the processing for the data subjects, not the risks for the company. In other words, start from the perspective of the data subjects.
For example, the processing of personal data may result in discrimination for data subjects or financial loss for data subjects.
When do companies need to conduct a risk assessment in accordance with GDPR?
A risk assessment must be carried out before the company, among other things:
- Initiate new processing of personal data.
- Introduce new IT systems.
- Plans to use new technology.
Please note that companies must also conduct a risk assessment when they notice deficiencies in their safeguards in the event of personal data breaches or other discrepancies.
Steps in a risk assessment in accordance with GDPR
Types of personal data
A risk assessment shall include the types and categories of personal data to which the processing relates. For example, if it is sensitive personal data, or other privacy-sensitive personal data, the scope of the processing, storage location, storage period, etc.
Identified risks
The second step is to identify the possible risks of the processing. For example, what consequences may arise for the data subjects if any unauthorised person gains access to the personal data.
Probability
The company shall then analyse the likelihood of the identified risks occurring. Often this is done through a risk matrix, where the company classifies the risks as low, medium or high.
Safeguards
In order to minimise the risks and consequences of the processing of personal data, the company shall implement appropriate safeguards, both technical and organisational. For example, encryption of personal data, two-step authentication, training for employees, etc.
Documentation
The risk assessment should be documented in writing, so that the company can demonstrate that it complies with the GDPR in practice, which is a requirement under the principle of accountability under Article 5(2) of the GDPR. The documented risk assessment shall include, among other things, the method used by the company, the risks involved in the processing, whether the company has decided to carry out a full impact assessment or not, etc.
Good to review risk assessments regularly
The company should put in place a system to regularly review the risk assessments carried out. For example, by assigning this task to a specific employee and that they schedule the task in their calendar. The risks can change over time depending on several factors and it is therefore good to ensure that the risk assessments are kept up to date over time.
Learn more
Legitimate Interest Assessment
Companies need to conduct a Legitimate Interest Assessment (LIA) in order to determine whether they have a legitimate interest in a particular processing operation or not. Legitimate interest is one of the six (6) legal bases of the GDPR. Data subjects have the right to object to the processing based on legitimate interest pursuant to Article 6(1)(f) GDPR. However, this does not automatically mean that the company must stop the processing. The company must instead make a new assessment after the data subject has made an objection, but the company can conclude that there is a legitimate interest and thus continue the processing.