Zum Hauptinhalt
Textseite

Protection classes and risk analysis

Abschlussbedingungen
There are different risk classes for the processing of personal data. The processing of particularly sensitive data (e.g. health data or data of children and adolescents) or the processing of very large amounts of data (e.g. an app for the nationwide submission of tax returns) poses a high risk. Business email addresses, which may already be on the company's website, are less critical than personal data, such as the address, telephone number or date of birth of participants in a training course, which are otherwise not public. Data from which information about the personality or circumstances of the person concerned can be derived is particularly critical.


The "Data protection and IT security" learning unit will later describe how protection classes are defined and how a risk analysis is carried out for certain processing operations.. 


Once you have determined the risk class of the data you are processing, you can derive measures for processing the data that ensure the protection of the data:

  • Where is the data stored?
  • Who can access the data?
  • How long will the data be stored?
  • Which providers and service providers can be considered for processing this data? Does the level of protection correspond to the risk class?


Risk classes for project data

Project-related data is usually stored in an online repository to which all project participants have access. Here too, you should consider whether everyone involved should really have access to all data:

  • The project team's contact list may be less critical, especially if it is stored online with the consent of all project participants. 
  • If, for example, lists with the participants' address data and other personal data are created later, access should possibly be restricted to the people who need this data to carry out the training courses or to invoice them. 



Task

Put yourself in the shoes of the data subjects whose data you are processing in your project. Is this data particularly worthy of protection? Is there any data that is more worthy of protection than others? Do you believe that the data is stored securely in a manner appropriate to the risk?

Don't worry, you should not carry out a final check at this point. Rather, this is an initial assessment of whether you need to take further measures at this point. If you have any concerns, do not hesitate to discuss them with other people in your organisation (e.g. data protection officer or the internal IT department).