» It allows to overcome, to a certain extent, the one-size-fits-all approach. The measures to be adopted by an SME that only performs low-risk data processing can be far more limited than those to be adopted by an SME whose business activities are based on high-risk data processing operations in order to comply with the GDPR. Although the risk-based approach is easy to identify in the text of the GDPR, it can still be tricky to apply in practice. As suggested by the European regulators, the risk-based approach may include the use useful toolbox for controllers to tackle similar risks in similar situations (situations determined by the nature, scope, context and purpose(s) of the processing). It is therefore worth understanding what practices and solutions already exist in your industry or field.
3.7. A risk-based approach in practice 3.7.1. Responsibility of the controller and the principle of accountability Background The accountability principle establishes that ‘the controller shall be responsible for, and be able to, demonstrate compliance with’ the other
3. The theory and practice of a risk-based approach
of baselines, best practices, and standards. These might provide a
principles relating to the processing of personal data and the GDPR. Processors are also expected to be accountable, as they have to comply with obligations related to accountability and assist the data controller in a number of their compliance requirements.171 Hence, the principle is relevant for any SME, regardless of their role in the processing operations. 171 For example, processors have to keep a record of the processing activities (Article 30(2) GDPR); appoint a DPO in certain situations (Article 37 GDPR); implement technical and organizational measures to ensure the security of processing (Article 32 GDPR). See FRA/ECtHR/EDPS, Handbook on European data protection law (Publications Office of the European Union 2018) 135, 136.
97
