3.5. What are the provisions embedding a risk-based approach in the GDPR? The risk-based approach is embedded in the following GDPR provisions:
» Article 24 on the responsibility of the controller (which is related to the principle of accountability);
» Article 25 on data protection by design and by default; » Article 30 on the obligation for documentation (records of » Article 32 on the security of processing; » Articles 33 and 34 on personal data breach notifications; » Article 35 on the obligation to carry out an impact assessment (DPIA); and
» Article 36 on prior consultation. While the formulation of the risk-based approach varies to some degree in the above-listed articles, in essence, it aims to ensure that, whatever the level of risk involved in the processing of personal data, data protection principles and data subjects’ rights are respected. In practice, this means that the data controllers and processors need to adjust the data protection obligations to the risks presented by a data processing activity.167 Typically, the risk-based approach is conceptualized in the GDPR
3. The theory and practice of a risk-based approach
processing activities);
through the following elements:
» current standards (in terms of technical and organizational » » » »
measures) for the means of processing; the cost of implementation; the nature, scope, context of the processing; purposes of the processing; and risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.168
167 Kuner, C., Bygrave, L. and Docksey, C., The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 26. 168 Footnote 160, 9. 95
