As already described in detail in the content modules, data protection is a risk-based approach. This means that the level of protection of personal data depends on the potential risk of data processing. Many provisions of the GDPR are broadly worded and leave the controller room for manoeuvre to establish an appropriate level of protection.

The controller is free to carry out a risk assessment for the processing activities. We recommend such a risk assessment in the following cases: 

• If you are unsure about a processing operation.
• If you process sensitive data as part of the processing.
• If you are working with a service provider based outside the EU.
• If the processing activity is fundamentally risky.

A risk assessment is not only used to evaluate the risk, but also for documentation purposes. If you have carried out a risk assessment, you can prove in this way that you have addressed the risk of the processing. 

Note: As soon as you process special categories of personal data in accordance with Article 9 GDPR, a risk assessment is only the first step. In this case, the GDPR provides for a data protection impact assessment to be carried out. In this case, you should urgently seek support from a data protection expert. 

Template

• Template risk analysis (PDF-File)