Tag: accountability

Why Risk Management is Essential for IG Professionals 

GDPR compliance is very much about risk management. Throughout the UK and EU GDPR, Data Controllers are required to implement protective measures corresponding to the level of risk of their personal data processing activities. Consequently, risk management is a foundational skill which all data protection and information governance professionals need to develop.  

Risk in the UK GDPR 

Key provisions of the UK GDPR which mandate a risk-based approach include: 

Article 24 Responsibility of the Controller 

“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.” 

Article 25 Data Protection by Design and by Default 

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” 

Article 32 Security of Processing 

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,…” 

Article 33 Notification of a Personal Data Breach to the Commissioner 

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification under this paragraph is not made within 72 hours, it shall be accompanied by reasons for the delay.” 

Article 33 Notification of a Personal Data Breach to the Data Subject 

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” 

Article 35 Data Protection Impact Assessments (DPIAs) 

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” 

Even where the word ‘risk’ is not explicitly used, the concept underpins a number of data protection principles in the UK (and EU) GDPR. For example: 

Accountability Principle  
Data Controllers must be able to demonstrate compliance. This involves documenting risk assessments, decisions, and mitigations; all of which are key components of risk management. 

Lawfulness, Fairness, and Transparency  
Fair and transparent processing demands that Data Controllers consider the potential impacts on data subjects; essentially, assessing and managing risks to data subjects’ rights. 

Data Minimisation and Purpose Limitation 
Ensuring that only necessary data is collected and processed inherently involves evaluating what is proportionate and appropriate, which are concepts rooted in risk assessment. 

Practical Skills DPOs and IG Officers Need 

Given the prominence of risk in the GDPR, DPOs and IG professionals should cultivate the following competencies: 

  • Risk Identification: Being able to recognise threats to data confidentiality, integrity, and availability; whether technical (e.g. cyberattacks) or organisational (e.g. poor access controls). 
  • Risk Analysis: Assessing the likelihood and potential impact of risks and understanding their relevance to the rights and freedoms of individuals. 
  • Risk Evaluation and Prioritisation: Comparing estimated risks against risk tolerance and legal thresholds (e.g. what constitutes ‘high risk’ under Article 35). 
  • Mitigation Planning: Developing and implementing controls to reduce risk to an acceptable level; whether through encryption, training, anonymisation, or policy development. 
  • Ongoing Monitoring: Risk is not static. DPOs must continuously monitor changes in technology, regulation, and business practices that may affect data risk profiles. 

For data protection and IG professionals, risk management is not a ‘nice-to-have’; it is a foundational skill.  

Interested in developing your risk management skills further? Consider enrolling on our new Risk Management in IG workshop