High-Risk Processing Under GDPR

The General Data Protection Regulation (GDPR) has affected how organisations handle all types of consumer data, but some types of information require more care than others. GDPR considers particular types of data or data processing methods to be ‘high risk’. Organisations handling this type of data, or processing this data, should take particular care to ensure that their practices are GDPR compliant.

An excellent first step towards compliance is to conduct a Data Protection Impact Assessment (DPIA). The DPIA consists of the organisation auditing and assessing the personal data that they currently hold. Conducting a DPIA is a GDPR mandate; the legislation states “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.

Organisations around the world should take note of these rules. Although ostensibly an EU law, GDPR affects any organisation that collects data from within the EU, regardless of the physical location of their headquarters.

High-Risk Processing Activities

Following the introduction of GDPR, the EU created the European Data Protection Board. GDPR states that organisations can seek guidance on high risk processing activities from this Board – “guidance on the implementation of appropriate measures and on the demonstration of compliance […] especially as regards the identification of the risk […] and the identification of best practices to mitigate the risk, could be provided […] by the Board”.

GDPR offers no explicit definition of what exactly constitutes high-risk data or high-risk data processing activities. The laws indicate that organisations should be able to determine what falls into these categories after conducting the DPIA.

There are some examples as to what organisations might consider being high risks, such as the processing of large amounts of data or sensitive data. The assessment should evaluate “the origin, nature, particularity and severity of […] risk”. Organisations should also conduct assessments on areas such as data security, data breach risks, privacy concerns, extent of data held or collected, and the type of processing activity carried out.

GDPR provides some guidance on what might be categories as risky processing activities, stating “such types of processing operations may be those who, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing”. Just because an activity falls into one of these categories does not mean that it is automatically high-risk; organisations should take a holistic approach when conducting the assessment.

Organisations should take the necessary steps to ensure that any issues identified in the assessment are rectified to become GDPR compliant. Organisations should implement the appropriate safeguards to ensure that data remains secure and private. Data controllers

who are concerned that they cannot correctly address these issues should consult with their supervisory authority before they start any processing activities.

GDPR requires risks to be assessed, identified and addressed in so far as possible. Organisations should consider the nature, scope, context and purposes of the processing, and the sources of the risk. GDPR requires businesses to document the actions to reduce risks so that supervisory authorities can review them. Failure to assess, address, or record risk reduction measures will most likely be considered a violation of the GDPR and could result in penalties and financial sanctions.