On December 21, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions relating to risk and risk assessment, which will become applicable on May 25, 2018. While risk assessments already are required under the EU Data Protection Directive, the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection.

Risk assessment allows organizations to classify processing activities according to their risks to individuals, prioritize compliance and devise appropriate mitigations. Thus, under the GDPR, organizations must assess the “likelihood and severity” of risks to individuals associated with organizations’ data processing activities, taking into account the nature, scope, context and purposes (and benefits) of the data processing. Processing operations that create lower risks to individuals’ fundamental rights and freedoms generally result in fewer compliance obligations, while “high-risk” processing operations will raise additional compliance obligations, such as the requirement to conduct data protection impact assessments (“DPIAs”).

The purpose of the White Paper is to:

  • identify and analyze the GDPR provisions on risk, high risk, risk assessment and DPIAs;
  • analyze the practical impact and implementation challenges of these provisions; and
  • provide recommendations on how these provisions can be consistently interpreted, implemented and enforced across Europe.

Points of focus in the White Paper include:

  • emphasizing the benefits of the risk-based approach as a means for effective data protection as well as data use;
  • avoiding unnecessary prescription and maintaining flexibility with respect to risk assessment or DPIA methodologies;
  • developing common classifications of risks and harms for consideration in risk assessments;
  • considering the benefits of processing in any risk assessments, as well as the proportionality between risks and benefits;
  • developing sensible lists of high-risk processing that focus on criteria and examples, or that allow organizations to rebut the presumption of “high risk” with respect to any listed activity;
  • the nature of prior consultations;
  • mitigation and residual risk; and
  • the relevance to DPAs of the risk-based approach in discharging their regulatory and enforcement obligations more effectively.

The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.