General Data Protection Regulation: Facing Risk

Posted by Jeff Pelliccio on Sep 6, 2017 9:00:00 AM

In ICS insights

Over the past decade—ripe with an ever-increasing annual number and variety of data breaches—IT experts have been forced to focus their attention and efforts on the "risk principle" as a key component when it comes to regulation.  

The risk principle is the concept that business leaders should invest in more resources that illuminate the most significant threats to their customers' data before developing a law that encourages a more nuanced approach versus a one-size-fits-all regulation.  

In an effort to protect the citizens of all EU nations, considered the far-reaching and often devastating impact that results in the wake of any type of scale of data breach. They noted that data breaches result in the compromise of customer information and identity theft, which ultimately leads to a loss of customer trust.  

In April 2016, the EU adopted the General Data Protection Regulation (GDPR), which adopts the risk principle but takes two slightly different approaches.  

How Does the EU Apply the Risk Principle in the GDPR?  

With the GDPR becoming fully effective on May 25, 2018, it is important for business leaders who handle the confidential data belonging to EU customers to understand the risks and risk assessments associated with the regulation. While risk assessments have already been performed under the EU Data Protection Directive of 1995 ("the Directive"), "the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection," according to The Privacy & Information Security Law Blog.  

The GDPR first focuses on risk-as-continuum before moving forward to the second part, which features two categories of risk, which are "risk" and "high risk."    


Like the Directive, the new regulation requires a legal foundation for any processing of any personal data. The GDPR definitely takes risk-as-continuum several steps further than the Directive did, focusing on customizing the specific risk that the data processing may pose. In fact, the risk principle serves as one of the cornerstones of the GDPR in Article 22, which requires data controllers to review various risks, as well as the likelihood and severity of those risks against the rights and freedoms of EU-based consumers.  

Subsequent GDPR Articles—such as Articles 23, 28 and 30—build on this examination of risk factors, working on the idea that risk increases sequentially. Each organization must gather their specially formed technical and organizational teams to respond to any discovered risk with the appropriate measures.  

As a practical measure, the GDPR uses the risk principle for data protection design, recordkeeping and security.  


While the risk-as-continuum focuses on risk-avoidance, the risk-as-disjunctive focuses on two categories of specific risk, which are "risk" and "high-risk."  

  • Risk. The risk category, which also includes "no-risk" and "low-risk," is the standard operating level of risk for any given company following proper risk management protocols. With proper technical and organizational measures, this risk does not trigger any specialized requirements.  

  • High-Risk. Anytime the high-risk category is detected, the GDPR demands that the organization proceed with new requirements in processing personal customer data. The most prevalent trigger of a high-risk designation results from a data breach notification. In the case of a high-risk data breach, the data protection officer—or other responsible party—must inform the data subject of the data breach and its reach and scope.  

The GDPR Risk Assessment  

Identifying the various categories of potential risks and harms, as well as specific risks and harms, to EU-based customers comes down to performing the fundamental risk assessment. In the GDPR, "risk underlies organisational accountability and all data processing," reports the Information Policy Centre

 Organizations need to perform risk assessments as part of the Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) to measure the levels of privacy and security provided by the system, and if necessary, to manage high-risk processing.  

The Value of the Risk-Based Approach Built Into the GDPR  

With the risk-based approach of the GDPR, an organization's compliance team can easily classify the necessary processing activities in relation to the risks to individuals, which makes it easier for them to prioritize compliance duties and develop means to diminish negative implications of the risk.  

How to Kick Off Your Strategy to Use the General Data Protection Regulation to Avoid Risk?

Your best strategy for complying with the risk-based approach of the General Data Protection begins with building your dream GDPR compliance team, including professional team members who can readily manage the technical, organizational and compliance aspects of the project.  

Your GDPR team is awaiting you at ICS. Our team of staffing professionals can help you assess your human resource needs to tackle the regulation for your EU customers' protection, as well as for the protection of your own organization's stellar reputation. 

Find Talent NOW

FTN Legal Compliance.png