1 minute read
in the GDPR?
3.5. What are the provisions embedding a risk-based approach in the GDPR?
The risk-based approach is embedded in the following GDPR provisions: » Article 24 on the responsibility of the controller (which is related to the principle of accountability); » Article 25 on data protection by design and by default; » Article 30 on the obligation for documentation (records of processing activities); » Article 32 on the security of processing; » Articles 33 and 34 on personal data breach notifications; » Article 35 on the obligation to carry out an impact assessment (DPIA); and » Article 36 on prior consultation.
Advertisement
While the formulation of the risk-based approach varies to some degree in the above-listed articles, in essence, it aims to ensure that,
whatever the level of risk involved in the processing of personal data,
data protection principles and data subjects’ rights are respected. In practice, this means that the data controllers and processors need to
adjust the data protection obligations to the risks presented by a data processing activity.167
Typically, the risk-based approach is conceptualized in the GDPR through the following elements: » current standards (in terms of technical and organizational measures) for the means of processing; » the cost of implementation; » the nature, scope, context of the processing; » purposes of the processing; and » risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.168
167 Kuner, C., Bygrave, L. and Docksey, C., The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 26. 168 Footnote 160, 9.
