What is High and Very High Risk for GDPR?

The introduction of the General Data Processing Regulation (GDPR), on 25 May, 2018, is intended to regulate the way different member states of the EU deal with data protection matters, particularly with regard to high and very high risk data. This should lead to a new level of uniformity in regard to the protection of rights and freedoms of individuals across the Union.

It is important to note that this does not just apply to companies and organizations within the EU, but also to companies and organizations that have offices in an EU country or process the personal data of people located within the EU.

In order to comply with the GDPR, companies need to ensure that they process personal data in line with the new rules. This will involve the completion of a Data Protection Impact Assessment (DPIA) examining the various items of personal data they hold and their processing procedures.

Risk assessments are a mandatory step under the GDPR, which notes “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.

Identifying data processing that is high risk

There is guidance available from the EU concerning what may be considered as risky processing activities under the GDPR. This can be sought from the European Data Protection Board, a Board created by the GDPR itself in order to facilitate compliance. Individual supervisory authorities are also required to create and publish lists of data processing activities that will require DPAI’s.

Companies should pay attention to this guidance and the information it provides about the harm that could result from high risk and very high risk processing activities. In doing so, they may come across best practices or other relevant information that will help them to complete their DPAIs as efficiently and as thoroughly as possible.

High risk processing cannot be specifically defined overall, but it can more easily be identified though consideration of a set group of criteria, including security of data, potential for a security breach, assurance of privacy, limitation of purpose, and the fairness of the processing involved. Large scale data processing and processing of sensitive data may also present higher risks. It should be noted that merely using new technology should not be classified as a high risk on its own; it needs to be considered in conjunction with other areas.

Each piece or area of data should be considered in its own context, as what might be considered high risk in one area might not be in another area. Once the assessment has been completed, companies are required to mitigate the risks that have been identified. If mitigation does not seem possible, then they must consult the relevant Data Processing Authority (DPA) before any unmitigated high risk processing is attempted.

As far as the GDPR is considered, identifying high risk and very high risk processing is all about considering areas such as scope, reliability and security, as well as potential harm that could result from problems due to the nature of the data or the amount being used.

Companies then need to take steps to mitigate these risks as much as is reasonably possible in order to ensure they meet GDPR requirements.

It will be important to document the findings of the DPAI, as well as the corrective actions that the organization has taken. This documentation will be a key factor in the group’s ability to demonstrate to authorities that it is complying with the GDPR.