Abstract
The GDPR imposes a general duty on controllers of personal data processing operations to “[take] into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons” posed by each personal data processing operation, and to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” (Art. 24(1); cf. also Art. 25(1))). Compliance with these requirements demand that the relevant risks be ascertained, recorded and addressed (mitigated). This applies a fortiori to personal data processing operations which, on the basis of such a general risk assessment, are held to pose a likely “high risk to the rights and freedoms of natural persons” (Art. 35(1)). In such a case, the controller is required to carry out, and record, a formal Data Protection Impact Assessment (DPIA) before going ahead with the operation (idem). This paper (which draws on The DPO Handbook I wrote with Marie Georges, https://ssrn.com/abstract=3428957) sets out the GDPR requirements and methodologies recommended by EU data protection authorities (supervisory authorities) in these respects.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
