Question: do we have to carry out a risk assessment for all In-Scope processings?
(“In-Scope” = in the scope of the GDPR)
The answer to this question is a clear « Yes ». The GDPR does not include any clear and explicit obligation to conduct a risk assessment. But such an obligation is implied in many provisions of the GDPR. The notion of risk is infused in almost all aspects of the GDPR. A risk-based approach is a must for all Controllers (1). This implied obligation must be distinguished from the obligation to conduct a PIA, which is explicitly documented in the GDPR (Recital 75, Article 35), and which is mandatory only in certain cases (2). Now, the risks assessments must be conducted with all legal implications they may have in mind. A controller may be caught by its own assessments.
As a reminder, the risks to be assessed – and mitigated – are the risks for the Data Subjects, not the risks for the Data Controllers. The GDPR is about “The protection of natural persons in relation to the processing of personal data” (Recital 1). Each Data Controller, as a Company, has the possibility to evaluate its own risks (that is even a good thing to do!), but the risks as understood by the GDPR are the risks created by the Controller for the Data Subjects when processing data relating to them. The Data Controller has the obligation to evaluate the risks it creates for the Data Subjects.
For the same reason, non-compliance with the GDPR should not be seen as a “risk” as understood in this context. There are two different points of view. Evaluating the risk for the Company is certainly a useful exercise, but no confusion should be made between the Company’s risks and the risks for the Data Subjects. Only the risks for the Data Subjects are to be considered in the context of this legal obligation.
Why do I believe we have to make a risk assessment for all processing operations?
“(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.
This provision is surprisingly not duplicated in any article of the GDPR. But many articles refer to the notion of risk.
“(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
Same comment as above. This clear recital is not reflected in any article of the GDPR.
Article 24 (3):
The appropriate technical and organisational measures to be put in place by the Controller must be adjusted to the risks. Question: how can we comply with this obligation without a risk assessment?
Same idea as in Article 24, which describes the steps to be taken in view of “Data protection by design and by default”. So, here again, how can we comply with this provision without a risk assessment?
Security measures must be adapted to the risks.
Articles 33 and 34:
The rules applicable to data breaches depend on the risks resulting from the breach. So after reading these two articles the question comes: what are the risks for the Data Subjects?
Impact Assessment is mandatory in case of a “high risk”. This article of the GDPR refers explicitly to an assessment of the risks, and also to “the measures envisaged to address the risks”.
The DPO must take the risks into account when doing his/her job.
Risks are also to be taken into account when dealing with cross-border transfers.
Now the good news is that, legally speaking, a Data Controller cannot be fined for not conducting a risk assessment. Absent any obligation to conduct any Risk Assessment, a Controller cannot be fined for breach of the law for not conducting risks assessments (sounds logical…). As a comparison, any infringement of Article 35 (i.e. PIA) is clearly sanctionable (See Article 83(4)(a)).
The second lesson we could take is that, when conducting our risks assessments, we have to understand the implications they will have on the following aspects:
– Security aspects
– Data breaches
– Cross-borders transfers
We not only have to conduct risks assessments, we also have to manage their consequences in terms of security measures and also in terms of how we manage data breaches and cross-borders transfers. This is true also for PIAs, which are due only in case of “high risk”.
Practically speaking, when confronted to a data breach, it will be difficult for a Controller to argue about « low risks », knowing that the risks have been evaluated by the same as « high » during the initial steps of a project.
Carrying out risks assessments is a legal obligation, having in mind all the legal implications their results may have. A controller may be caught by its own assessments.
Here you will find a paper about the role of Risk Management in Data Protection:
See the following Guidelines (page 17):
-EU- de la Belgique:
-EU- de la France
(Note: this model is dated June 2015 and may not be fully adapted to the GDPR)
-Non EU- (UK)
PIA Code of Practice:
Responsibility of the controller
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Data protection by design and by default
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing,…
Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:…
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Notification of a personal data breach to the supervisory authority
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Communication of a personal data breach to the data subject
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons…
Data protection impact assessment
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons…
- The assessment shall contain at least:
an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
Tasks of the data protection officer
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Derogations for specific situations
the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;