GDPR risk analysis allows the choice of the security measures adequate to the level of risk of violation of personal data protection.

The aim of risk analysis is to:

  • identify the nature, scope, context and purposes of processing of personal data;
  • assess the likelihood of violation of personal data protection;
  • assess the severity of violation of personal data protection for rights and freedoms of natural persons;
  • assess the risk level of violation of personal data protecion for rights and freedoms of natural persons.

Without the risk analysis it is almost impossible to:

  • choose the security measures adequate to the risk level of violation of personal data protection;
  • assess if data protection impact assessment (DPIA) is required;
  • prove that adequate security measures have been applied.

GDPR risk analysis may be carried out using:

  • an own methodology developed by controller of personal data;
  • using one of the existing available methodologies, for example, using PIA application developed by CNIL (french supervisory authority);

...as long as the methodology allows for an objective assessment of the risk of a breach of personal data protection for the rights and freedoms of natural persons.

Regardless of how the risk analysis is carried out, it is documented by writing a paper or electronic report and preparing a risk management plan.

Paweł Borek, attorney at law | Krzysztof Doliński, attorney at law

GDPR | Legal Office in Poznan