The first broad reform of personal data protection legislation in the European Union entered into force in May 2018 (Regulation (EU) 2016/679, the General Data Protection Regulation). Remarkably, with this reform a risk-based approach has been introduced as the core data protection enforcement model, while data protection authorities see their regulatory role significantly weakened. The risk-based approach is to be implemented by the data controllers (i.e. the operators) via data protection impact assessments (evoking the established environmental impact assessment procedure) and notification of breaches, among other procedures. Hence the scope of both the concepts of risk and risk regulation spread beyond conventional domains, namely the environment, public health or safety, i.e. physical risks, to encompass risks to intangible values, i.e. individual rights and freedoms, presumably harder to assess and manage. Strikingly, the reform has been accompanied by a confident discourse by EU institutions, and their avowed belief in the reform’s ability to safeguard the fundamental right to data protection in the face of evolving data processing techniques, specifically, big data, the Internet of Things, and related algorithmic decision-making. However, one may wonder whether there isn’t cause for concern in view of the way the risk-based approach has been designed in the data protection legislation. In this article, the risk-based approach to data protection is analysed in the light of the reform’s underlying rationality. Comparison with the risk regulatory experience in environmental law, particularly the environmental impact assessment procedure, is drawn upon to assist us in pondering the shortcomings, as well as the opportunities of the novel risk-based approach.