Don’t know how to determine your data processing risk? Can’t figure out the likelihood and severity of potential damage? Wondering how to manage data processing risk and if you need a data protection impact assessment?

Then let one of our experienced lawyers conduct a GDPR risk analysis for you. We’ll make a cursory assessment of your processing risk based on your record of processing activities and prepare a GDPR compliant risk analysis for you.

We’ll first identify the risk, i.e. identify the damage that can be caused by a certain event. Then we’ll evaluate the likelihood of that risk and the severity of any ensuing damage. We use a risk matrix to classify the levels of risk.

From the analysis results, you’ll get important insights as to whether the data subjects (the affected persons) fall under high risk, thereby necessitating a data protection impact assessment.

Add to cart Excluding 16% tax

How is the risk analysis performed?


Choosing a package

Choose the risk analysis you want based on the number of processing activities you would like to have assessed.

Questionnaire and record

Immediately after purchase, you can download a questionnaire that should be answered for every processing activity to be assessed. Finally, upload all of your questionnaires together with your record of processing activities.

Performing the risk analysis

One of our lawyers will carry out the risk assessment using the record of processing activities and completed questionnaire provided by you. After the assessment, you will receive a risk estimation as well as an evaluation of whether a data protection impact assessment is necessary.

Downloading the risk analysis

After completing the evaluation, our experts will provide you a summary of the risk assessment that you can download to your user account. You’ll also be informed per email that the download is ready.

Frequently asked questions about performing a risk analysis

What is a risk analysis?

Every company has the legal obligation to adequately protect personal data from risk. Risk must be determined for every individual processing activity. The analysis is done to essentially establish how likely and severe the damage may be for an affected person.

When should a risk analysis be carried out?

A risk assessment is necessary at a minimum in the following cases:

  • The processing risk has not yet been determined or has not yet been documented.
  • The risk has been determined and documented but conditions have changed, such as the following:
    • the use of new or modified technologies;
    • the use of service providers or changes in the use of service providers;
    • important changes in the scope of processing;
    • changes in legal conditions; these include changes in opinion by supervisory authorities, relevant court decisions or contractual obligations.

How is the risk assessment done?

We’ll first assess whether the processing activity can be categorised at a threshold level. To do this, we use the recommendations of the Article 29 group (WP248) as a guide.

As a next step, we determine the risks to the rights and freedoms of the affected persons and weigh these. We’ll assess the risks’ potential impacts on likelihood and severity.

The risk is defined through classification into a risk class. The assessment includes an estimation of whether a data protection impact assessment is necessary based on the information provided.

In addition, we will check if the processing activity is considered a candidate for a data protection impact assessment based on how it is ranked on supervising authority’s lists.

What are the risk classes?

As there are no risk-free processing activities, they are categorised in the analysis as follows:

  • low risk
  • risk
  • high risk
Service description for risk analysis

Please note the following guidelines regarding our risk analysis services:

  1. The risk assessment is based exclusively on the record of processing activities that we receive from you and the completed questionnaire that is available as a download. The assessment is based on the circumstances, type and extent of processing. We can only carry out the assessment based on the information you provide. We will contact you if we are missing any important information for the assessment. The record of processing activities will not be reviewed; this service can be purchased separately. Missing or deficient details in the processing activities or in the questionnaire may lead to an incorrect risk assessment. If an appropriate risk analysis is not possible due to deficiencies in the record of processing activities and a review was not purchased, the processor has the right of withdrawal. Any charges for services rendered up to this point will be pro-rated.
  2. The service does not include a review of the correctness of functional responsibilities and company details for which we have no knowledge. The standards of assessment are solely those details that are provided by the controller.
  3. The risk analysis can be done in German or English. The analysis will be conducted in German if the controller does not choose a language.
  4. The service is considered rendered when the analysis-enhanced record of processing activities is available for download and a summary of the risk assessment is included. An adjustment to already transmitted documents is not possible.
  5. Services are rendered within 15 work days. The period begins on the work day after the record of processing activities as well as the completed questionnaire are uploaded. Should the work take longer due to the complexity of the details to be assessed, we will let you know immediately.