1 minute read
3.6. How can a risk-based approach benefit SMEs?
The risk and the assessment criteria are the same: the assets to
protect are always the same (the individuals, via the protection of their personal data), against the same risks (to individuals’ rights and freedoms), taking into account the same conditions (nature, scope, context and purposes of processing).169
Advertisement
3.6.How can a risk-based approach benefit
SMEs?
Risks for data subjects do not depend on the size of the controllers, but on the nature, scope, context and purpose(s) of the processing operations.
Considering compliance with the GDPR through the lens of a risk-based approach is particularly useful for SMEs for the following reasons: » SMEs enjoy certain freedom in determining the techniques to be used to perform the risk analysis and to evaluate the level of risk of the processing operations. Likewise, SMEs are free to choose the measures to mitigate such (high) risks; » It allows flexibility when adhering to data protection requirements.
It does not prescribe or demand a particular measure to comply with the law. Instead, it requires that the SME understands the data processing operation by considering its nature, scope, context, and purposes, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons whose personal data is being processed. In practice, this means that the GDPR grants
SMEs enough margin to customize technical and organizational solutions to their specific needs.170
169 Ibid. 170 Footnote 14.
