Data protection has long relied on risk management as a critical tool for complying with data protection laws and ensuring that data are processed appropriately and the fundamental rights and interests of individuals are protected effectively. Yet these risk management processes, whether undertaken by businesses or regulators, have often been informal, unstructured and failed to take advantage of many of the widely accepted principles and tools of risk management in other areas.
Risk management involves three key elements:
- The systematic process of identifying and assessing harms and other negative impacts
- Avoiding or mitigating those that cannot be justified by the benefits and other positive impacts
- Accepting and managing the remaining risks.
This paper addresses the role of risk management in data protection as implemented into legal requirements, interpreted by regulators and put into practice by responsible organizations. It also highlights the growing consensus around risk management as an essential tool for effective data protection.
More like this
