Don’t know how to determine your data processing risk? Can’t figure out the likelihood and severity of potential damage? Wondering how to manage data processing risk and if you need a data protection impact assessment?
Then let one of our experienced lawyers conduct a GDPR risk analysis for you. We’ll make a cursory assessment of your processing risk based on your record of processing activities and prepare a GDPR compliant risk analysis for you.
We’ll first identify the risk, i.e. identify the damage that can be caused by a certain event. Then we’ll evaluate the likelihood of that risk and the severity of any ensuing damage. We use a risk matrix to classify the levels of risk.
From the analysis results, you’ll get important insights as to whether the data subjects (the affected persons) fall under high risk, thereby necessitating a data protection impact assessment.
Every company has the legal obligation to adequately protect personal data from risk. Risk must be determined for every individual processing activity. The analysis is done to essentially establish how likely and severe the damage may be for an affected person.
A risk assessment is necessary at a minimum in the following cases:
- The processing risk has not yet been determined or has not yet been documented.
- The risk has been determined and documented but conditions have changed, such as the following:
- the use of new or modified technologies;
- the use of service providers or changes in the use of service providers;
- important changes in the scope of processing;
- changes in legal conditions; these include changes in opinion by supervisory authorities, relevant court decisions or contractual obligations.
We’ll first assess whether the processing activity can be categorised at a threshold level. To do this, we use the recommendations of the Article 29 group (WP248) as a guide.
As a next step, we determine the risks to the rights and freedoms of the affected persons and weigh these. We’ll assess the risks’ potential impacts on likelihood and severity.
The risk is defined through classification into a risk class. The assessment includes an estimation of whether a data protection impact assessment is necessary based on the information provided.
In addition, we will check if the processing activity is considered a candidate for a data protection impact assessment based on how it is ranked on supervising authority’s lists.
As there are no risk-free processing activities, they are categorised in the analysis as follows:
- low risk
- high risk
Please note the following guidelines regarding our risk analysis services:
- The risk assessment is based exclusively on the record of processing activities that we receive from you and the completed questionnaire that is available as a download. The assessment is based on the circumstances, type and extent of processing. We can only carry out the assessment based on the information you provide. We will contact you if we are missing any important information for the assessment. The record of processing activities will not be reviewed; this service can be purchased separately. Missing or deficient details in the processing activities or in the questionnaire may lead to an incorrect risk assessment. If an appropriate risk analysis is not possible due to deficiencies in the record of processing activities and a review was not purchased, the processor has the right of withdrawal. Any charges for services rendered up to this point will be pro-rated.
- The service does not include a review of the correctness of functional responsibilities and company details for which we have no knowledge. The standards of assessment are solely those details that are provided by the controller.
- The risk analysis can be done in German or English. The analysis will be conducted in German if the controller does not choose a language.
- The service is considered rendered when the analysis-enhanced record of processing activities is available for download and a summary of the risk assessment is included. An adjustment to already transmitted documents is not possible.
- Services are rendered within 15 work days. The period begins on the work day after the record of processing activities as well as the completed questionnaire are uploaded. Should the work take longer due to the complexity of the details to be assessed, we will let you know immediately.