GDPR risk analysis allows the choice of the security measures adequate to the level of risk of violation of personal data protection.
The aim of risk analysis is to:
- identify the nature, scope, context and purposes of processing of personal data;
- assess the likelihood of violation of personal data protection;
- assess the severity of violation of personal data protection for rights and freedoms of natural persons;
- assess the risk level of violation of personal data protecion for rights and freedoms of natural persons.
Without the risk analysis it is almost impossible to:
- choose the security measures adequate to the risk level of violation of personal data protection;
- assess if data protection impact assessment (DPIA) is required;
- prove that adequate security measures have been applied.
GDPR risk analysis may be carried out using:
- an own methodology developed by controller of personal data;
- using one of the existing available methodologies, for example, using PIA application developed by CNIL (french supervisory authority);
...as long as the methodology allows for an objective assessment of the risk of a breach of personal data protection for the rights and freedoms of natural persons.
Regardless of how the risk analysis is carried out, it is documented by writing a paper or electronic report and preparing a risk management plan.