Are risks related to the processing of personal data, as referenced in the GDPR, fixed and exhaustive? They are not. The regulation provides a non-exhaustive list of risks solely as a foundation for protecting fundamental rights. Administrators must assess and address additional, context-specific risks beyond those explicitly listed. This requires thorough risk identification, constant monitoring, and adaptation to changes in technology and data practices.
The GDPR’s flexibility allows organisations to tailor safeguards to specific scenarios, but it also places a responsibility on them to assess and mitigate broader risks. Risks like re-identification or profiling may not be explicitly mentioned but still require measures. By moving beyond mere compliance, organizations should integrate these considerations into their processes.
To help this to happen, and to demonstrate compliance, impact assessments come in many forms, depending on their focus and scope. A Fundamental Rights Impact Assessment (FRIA) represents the broadest approach, combining specific assessments such as Privacy Impact Assessments (PIA), Data Protection Impact Assessments (DPIA), but also the less known flavours like the Freedom of Expression (FoEIA) or Non-Discrimination (NDIA) assessments, or a technical element of web privacy impact assessment. These assessments enable a nuanced understanding of the risks involved and help design tailored mitigation strategies. Central to this effort is the "by-design" approach (like in Data Protection by Design), where safeguards are embedded into the development and design phases of technologies and processes. This anticipatory approach ensures that principles like data minimisation, security, audibility, ability to identify cyberattacks or data breaches are built into systems from the outset, significantly reducing risks before deployment. But how to do this in practice?
A key consideration in these strategies is the concept of "state of the art" (SOTA). The GDPR uses this term to ensure that implemented measures reflect current best practices in technology and methodology. However, "state of the art" is not static; it evolves as technology and threats advance. While organizations are ultimately responsible for determining what constitutes SOTA in their specific context, this decision—we know this as there are Court of Justice of European Union decisions here!—must be documented to withstand scrutiny during audits or regulatory reviews. To justify their choices, organizations should record their evaluation process, referencing expert advisories, standards, regulatory guidance, and industry practices. Do you want to use a particular hashing function, or privacy-preserving technology, or risk surface identification, or an Endpoint Detection and Response? Fine, but justify, if only—to have a trace of analysis and decision. This documentation not only supports the organisation's decision but also demonstrates due diligence and accountability.
Many impact assessment activities can also be streamlined using AI and large language models (LLMs), which enable the creation of automated pipelines for efficient evaluations, especially in continuous development paradigm. Though sometimes a case by case basis is merited.
Comments, queries, or maybe offers? Contact me at me@lukaszolejnik.com, I’m seeking engagements.