Towards a transparent and systematic approach to conducting risk assessment under Article 35 of the GDPR

Abstract

This dissertation focuses on the risk assessment carried out as part of a data protection impact assessment (DPIA) under Article 35 of the General Data Protection Regulation (GDPR), particularly, Article 35 (7)(c). Conventionally, risk assessment is a process of risk management that aims to identify the potential threats against an asset or object of value, analyse the likelihood and severity of the threats and potential harms if they materialise, and evaluate the risk level with the ultimate objective of implementing measures to mitigate the identified risks. The current data protection framework in the EU has integrated a risk-based approach, requiring that risk assessment be conducted in several situations, including in the course of a DPIA. When this risk management feature is transposed to the context of data protection, the question then is how this process should be appropriately carried out to meet the requirements of the data protection law and retain its risk management characteristics? There is no mandatory methodology under the GDPR for this exercise. Published guidelines on DPIA by the supervisory authorities have not clarified the scope of this core process. In most of these guidelines, for example, there are no clear and systematic criteria for identifying data protection threats, analysing and evaluating the likelihood and severity of the risk, as well as how to measure the risk level. This uncertainty undoubtedly affects the use and practical relevance of these guidance documents, as well as the resultant DPIAs that are based on them. Bearing in mind that the GDPR does promote consistency and requires an objective assessment of risk, would the mostly subjective and unsystematic approach to risk assessment be sustainable henceforth? How could more procedural transparency be devised in this exercise, and what impact will it have? This dissertation argues in favour of a more uniform and systematic approach to data protection risk assessment and posits that it is feasible to achieve given that the GDPR contains provisions that can be used to design this risk assessment architecture systematically. Existing risk management tools can be leveraged to accomplish this objective. What is missing, however, is a careful adaptation of these tools to suit the data protection environment. The study further argues that good practices in DPIA should be incentivised as a way of encouraging well-designed and implemented risk assessment. This study, therefore, proposes a method of mapping the ISO 31000:2018 processes with the relevant GDPR requirements for a DPIA and further suggests a methodology for operationalising risk assessment in a systematic way. This approach not only exposes the steps of conducting risk assessment during a DPIA, but also makes it easy to identify and focus on relevant criteria for completing each step. Theoretically, this translates a DPIA into a procedural ‘tool of transparency’ as advanced by De Hert and Gutwirth’s theory of data protection. In the end, several recommendations are made to relevant stakeholders on how to further achieve consistency in the application of risk assessment during a DPIA. The output of this study targets not only the data controllers and processors, who are eager to find the best method of complying with the DPIA obligation, but also the supervisory authorities, as it will be valuable in their review and audit functions. It also exposes parameters upon which these stakeholders can measure whether a risk assessment has been appropriately conducted. The broader privacy community will find the content of this study interesting in advancing their knowledge.