GDPR Risk-Based Approach: 6 Steps to Get It Done

Updated November 24th, 2023
GDPR risk based approach

Share this article

The introduction of the General Data Protection Regulation (GDPR) in the European Union in 2018 forced organizations worldwide to rethink their data management practices.

Today, the stakes are high - non-compliance with GDPR can attract heavy fines and a potential loss of consumer trust. In spite of that, several businesses have not fully understood the potential risks involved in data processing. As a result, implementing appropriate mitigation strategies to safeguard personal information has taken a backseat.

Modern data problems require modern solutions - Try Atlan, the data catalog of choice for forward-looking data teams! 👉 Book your demo today

In this article, we will explore:

  • What is GDPR risk based approach?
  • How to identify, assess, and prioritize risks?
  • How to implement a risk-based aprroach to GDPR with a case study?

Ready? Let us dive in!

Table of contents

  1. What is GDPR risk-based approach?
  2. 6 Steps to implement a GDPR risk based approach
  3. Case study: Implementing a risk-based approach to GDPR in “FinTrust,” a mid-sized retail bank
  4. Summing up
  5. GDPR risk-based approach: Related reads

What is GDPR risk-based approach?

The GDPR’s risk-based approach is a framework that prioritizes data protection measures based on the level of risk associated with specific data processing activities.

Here’s a detailed breakdown:

  1. Risk assessment
  2. Tailored data protection measures
  3. Obligation differentiation
  4. Technical and organizational measures
  5. Compliance and reporting
  6. Special measures for high risks
  7. Continuous management

Let us understand them in detail.

1. Risk assessment

Organizations must assess the level of risk their data processing activities pose to the rights and freedoms of data subjects. This involves identifying potential risks, analyzing their likelihood and severity, and classifying them as low or high.

2. Tailored data protection measures

Based on this risk assessment, organizations are encouraged to implement protective measures that correspond to the identified level of risk. Higher risk activities require more stringent measures.

3. Obligation differentiation

The approach differentiates the obligations of data controllers based on the specific risks associated with their data processing activities. This ensures a balanced cost-benefit ratio, where data protection instruments are used proportionally to the level of risk.

4. Technical and organizational measures

Organizations must select appropriate technical and organizational measures considering the severity of the risk to data subjects’ rights and freedoms.

5. Compliance and reporting

The approach dictates compliance requirements, such as the necessity of reporting data breaches to supervisory authorities, based on the risk these breaches pose to data subjects.

6. Special measures for high risks

In cases of high risk, special measures like data protection impact assessments and notifying data subjects in the event of data protection violations are mandated.

7. Continuous management

The risk-based approach is not a one-time assessment but requires continuous monitoring and updating of risk assessments and protective measures as circumstances change.

This approach allows for more effective and efficient data protection, ensuring that resources are focused on areas of highest risk, while also maintaining flexibility and adaptability to different processing contexts.

6 Steps to implement a GDPR risk based approach

The risk-based approach under GDPR is a strategic method to identify, assess, and prioritize risks associated with the processing of personal data. It forms the cornerstone of any comprehensive GDPR compliance strategy by focusing on the most critical areas where a data breach or misuse could occur.

Steps to implement a GDPR risk-based approach include the following:

  1. Identification of risks
  2. Assessment of risks
  3. Prioritization of risks
  4. Implementation of measures
  5. Monitoring and review
  6. Documentation

Let us understand these steps in detail.

Step 1: Identification of risks

The process starts with identifying potential risks associated with the collection, processing, and storage of personal data. This stage should involve a multidisciplinary team including legal, IT, and operational members.

Risks can range from data breaches due to cyber-attacks to accidental leaks by employees. The scope of identification should be broad, capturing both intentional and unintentional risk scenarios.

Tools like Data Processing Impact Assessments (DPIAs) can help in systematically identifying these risks.

Step 2: Assessment of risks

After identification, each risk should be assessed based on its impact and likelihood. Impact refers to the potential consequences, which could range from financial penalties to reputational damage.

Likelihood considers the odds of the risk event occurring.

The use of risk matrices can help visualize and assess risks effectively. The goal is to have a well-documented understanding of each risk, underpinned by robust analysis.

Step 3: Prioritization of risks

Once risks are assessed, the next step is to prioritize them. High-impact, high-likelihood risks typically take precedence. The organization should also consider its own risk appetite, or the level of risk it is willing to accept.

Prioritization helps organizations allocate their resources more efficiently. Time-bound action plans should be created for each risk, clearly stating who is responsible for what.

Step 4: Implementation of measures

After prioritization, the organization should then implement the necessary measures to manage the identified risks. These data quality measures could range from technical solutions like encryption and firewalls to organizational changes like policy updates.

Organizations should also consider a phased approach to implementation, especially for more complex measures that require significant resources or changes to existing systems.

Step 5: Monitoring and review

Once measures are implemented, continuous monitoring and periodic reviews are essential. Key Performance Indicators (KPIs) can be used to assess the effectiveness of the risk management strategies.

Monitoring ensures that the measures are effective and identifies any new risks that may have emerged.

Step 6: Documentation

Documentation is a vital component of the risk-based approach. All steps—from risk identification and assessment to prioritization and implementation—should be meticulously documented. This serves multiple purposes: it helps in internal audits, enables continuous improvement.

Proper documentation provides a defensible position, showing that the organization has taken all necessary steps to comply with GDPR’s risk-based approach requirements.

Understanding and executing these steps proficiently enables organizations to manage risks effectively while also ensuring GDPR compliance.

Note: Adopting a risk-based approach is not just a requirement under GDPR; it’s also a best practice that offers the dual benefit of protecting an organization from the legal ramifications of non-compliance and safeguarding the privacy of individuals.

Failing to adopt this approach leaves organizations vulnerable to data breaches, hefty fines, and reputational damage

Case study: Implementing a risk-based approach to GDPR in “FinTrust,” a mid-sized retail bank

Our hypothetical company - “FinTrust,” a mid-sized retail bank, manages a plethora of data, from customer personal details to transactional data. Recognizing the far-reaching implications of GDPR, the bank decided to implement a robust, risk-based approach to data protection and compliance.

Identification of risks

FinTrust established a Risk Management Team (RMT) that brought together expertise from Legal, IT, Compliance, and Customer Relations departments. This team began by identifying potential vulnerabilities in the bank’s data processing chain.

Real-world scenario: The customer service team noted that some customer service representatives had access to more customer data than needed to perform their duties. This was seen as a data minimization risk.

Assessment of risks

The RMT initiated a thorough risk assessment exercise using Data Protection Impact Assessments (DPIAs) and other internal audit mechanisms. Each risk was weighed against criteria such as potential GDPR fines, operational disruption, and reputational damage.

Real-world insight: During the assessment, the bank realized that a significant part of their customer data was stored on third-party cloud services. The risk here involved potential data breaches at the vendor’s end, leading to non-compliance.

Prioritization of Risks

A risk heat map was created to visualize the level of attention each risk required. High-impact and high-likelihood risks were treated with priority.

Real-World challenge An identified top-priority risk was the insecure transmission of transactional data between the bank’s mobile app and its servers. A breach here could potentially expose millions of transactions.

Implementation of Measures

To mitigate identified risks, the RMT developed a multi-faceted strategy:

Role-based access control (RBAC): Access to customer data was limited based on job responsibilities.

Data encryption: End-to-end encryption was implemented for data transmitted between the bank’s app and its servers.

Vendor audits: Conducted security audits on third-party vendors responsible for data storage.

Real-world tactic: A series of “ethical hacking” tests were commissioned to identify vulnerabilities in their mobile and web platforms.

Monitoring and review

Post-implementation, the bank established continuous monitoring mechanisms:

Anomaly detection: Real-time monitoring was set up to detect unusual data access or transactions.

Customer feedback loops: Established a system for customers to report data security concerns directly.

Real-world insight: The bank found, via monitoring, that there was an unusual level of access requests made during off-hours. Immediate investigation led to the identification of a compromised internal account, and quick action was taken.


Every stage of this process, from risk identification to implementation, was meticulously documented:

Process logs: Detailed logs were kept for each step in the risk assessment and mitigation process.

Compliance records: All compliance-related actions were documented, with time-stamps and named responsible parties.

Audit trails: Generated automated logs for all data accesses and alterations.

Real-world requirement: When FinTrust was audited, this thorough documentation proved invaluable, showcasing their comprehensive, risk-based approach to GDPR compliance.

Through a carefully executed risk-based approach, FinTrust not only aligned itself with GDPR requirements but also fortified its data protection mechanisms.

This effort, though resource-intensive initially, saved the bank from potentially catastrophic financial and reputational damages. It also helped instill a pervasive culture of data protection awareness, crucial in today’s digital age.

Summing up

In summary, the risk-based methodology is central to achieving meaningful GDPR conformity. By thoroughly identifying, evaluating, prioritizing and mitigating data processing risks, organizations can adopt a targeted approach to compliance.

Technical solutions like encryption and access controls address technological vulnerabilities. Organizational measures including staff training and vendor oversight tackle operational risks. Rigorous documentation provides accountability.

While resource-intensive initially, the long-term benefits of risk-based thinking are immense – avoiding data breaches, fines, and reputational damage.

As regulations and technologies evolve, regular reviews and monitoring are imperative to adjust strategies accordingly. By embracing risk-based compliance, organizations reinforce not just conformity, but also trust.

Share this article

[Website env: production]