Risk and the risk-based approach

Abstract

Abstract The goal of this chapter is to understand the notion of risk at play in the risk-based approach. As was alluded in Chapter 5 already, the risk-based approach to data protection is only a piecemeal implementation of meta regulation, which focuses primarily on how to better comply with the existing data protection framework. Because meta regulation relies by definition upon risk management (and the risk transformation of regulated organisations), and thus ends-up transforming the whole data protection framework as risk-based, it is not clear what notion of risk underpins the risk-based approach. As demonstrated, the risk-based approach is predicated upon a notion of compliance risk, which is the only one able to reconcile the piecemeal implementation of meta regulation with the risk transformation of the regulatees. The present chapter will therefore explore this notion of compliance risk. It proceeds in three steps. GDPR: risk-based|risk-based approach: partial implementation of meta regulation|First, it uses the technical notion of risk put forth by the ISO as a description tool in order to show the differences between the competing understandings of risk. Second, it will define the notion that should have featured in the risk-based approach had it been a full implementation of meta regulation, namely a so-called “data protection risk”.standard setting: as risk management| Third, and in contrast, it will analyse the compliance risk at the heart of the risk-based approach.