All-in-one Risk Management Platform

"Likely to Result in Risk" Under GDPR

“Likely to Result in Risk" is a bit of a vague term, especially for organizations who want to stay GDPR compliant. In this piece, we’ll clear up everything you need to know about this term.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

"Likely to Result in Risk" Examples

Under the GDPR, one of the requirements for compliance is the process of completing a DPIA, or Data Protection Impact Assessment. The ICO mandates DPIAs to be filled out for processing operations that are “likely to result in risk.”

But what exactly does “likely to result in risk” mean? How can organizations form a solid definition of this term to use in their DPIA and overall GDPR compliance plan? Even though the GDPR is vague about what this means, there are plenty of examples of what a high-risk action or process is. In this guide, we’ll break down everything you need to know about what is likely to result in risk under the GDPR, as well as some examples of what to look out for.

What is a DPIA?

You can identify and reduce a project's data protection risks by doing a data protection impact assessment (DPIA). It is a particular kind of evaluation carried out in relation to a particular processing activity to guarantee that any privacy risks have been noted and safeguards have been implemented where appropriate.

For processing that poses a significant danger to people, a DPIA is required. This contains a few particular categories of processing. A DPIA should be conducted for each additional significant project involving the handling of personal data.

What Does "Likely to Result in Risk" Mean?

Data controllers must conduct a data protection impact assessment in compliance with Article 35 of the GDPR if a processing operation, particularly one involving the use of new technologies, is "likely to result in a high risk to the rights and freedoms of natural persons."

Data controllers are obligated to conduct a data protection impact assessment in accordance with Article 35 of the GDPR if data processing activities, particularly those utilizing new technologies, are "likely to result in a high risk to the rights and freedoms of natural people." Neither "high risk" nor "DPIA" are defined under the GDPR. However, some standards for what constitutes "high risk" are listed in laws and regulations, which are in-depth explored in Section 4. 

In brief, processing significant volumes of data, sensitive or special categories of personal data, or processing procedures utilizing new technologies for which the controller has not yet performed a DPIA may be associated with high risk.

To get a better grasp on what is considered high risk under the GDPR, let’s take a look at some examples.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Examples of "Likely to Result in Risk"

Experimental Technology

This risk would apply to processing requiring the deployment of unique applications of already available technology. When paired with any other need from WP248rev01, a DPIA is necessary for any proposed processing processes requiring creative technology usage or the implementation of novel organizational and technological strategies.

Depending on the particulars of the processing, examples of this include artificial intelligence, machine learning and deep learning, connected and autonomous cars, intelligent transportation systems, smart technologies, market research including neuro-measurement, and various IoT applications.

Unviewable Processing

Instances where the controller believes that adhering to Article 14 would be impossible or require an unreasonable amount of effort are known as invisible processing, as described in Article 14.5. Invisible processing is the processing of personal data that has not been directly obtained from the data subject. Any proposed processing action where the controller is relying on Article 14.5 requires a DPIA.

List brokering, direct marketing, online tracking, advertising, data aggregation, and the reuse of publicly accessible data are a few examples of this processing.

General Tracking

Processing that involves tracking a person's geolocation or activity, including but not limited to the online world, is known as tracking. Any proposed processing procedure using geolocation data must first undergo a DPIA. Social media platforms, software programs, online advertisements, web and cross-device monitoring, eye tracking, data processing at work, data processing in the context of working from home and other distant locations are a few examples.

Genetic Information

Any processing of genetic data that isn't done by a specific doctor or other health care provider for the purpose of providing direct treatment to the data subject is considered to be the processing of genetic information. Any anticipated processing actions involving genetic data should be subject to a DPIA. DNA testing, medical research, and medical diagnostics are a few examples.

Data Matching

Another possible issue is data matching, which includes merging, contrasting, or matching personal data gathered from several sources. Examples include federated identity assurance services, direct marketing, tracking personal usage of statutory services or benefits, and fraud protection.

Denial of Service

Denial of service occurs when judgments concerning a person's access to a good, service, opportunity, or benefit are made in part or entirely based on automated decision-making, or when special-category data is processed.

Credit checks, mortgage or insurance applications, and other pre-check procedures connected to contracts are some of the most typical forms of denial of service.

Significantly Large-Scale Individual Profiling

Any extensive individual profiling carried out by an organization poses this risk. Examples of this include information processed by Smart Meters or IoT apps, fitness or lifestyle tracking gear and software, social media networks, and the integration of AI into current processes.

Biometric Data

Any processing of biometric information aimed at uniquely identifying a person is subject to this danger. When paired with any other criterion from WP248rev01, a DPIA is necessary for any anticipated processing activities using biometric data for the purpose of uniquely identifying a person.

Facial recognition technologies, workplace identity verification and access control systems, and access control and identity verification for hardware and apps are some intriguing instances of biometric data threats (including voice recognition, fingerprint, facial recognition, etc.)

If you find yourself still unsure whether certain activities are “likely to result in risk” or not, it is best practice to create a DPIA just in case. It is always better to be overly careful when it comes to identifying and mitigating risks associated with processing personal data.

Like what you see?  Learn more below

“Likely to Result in Risk" is a bit of a vague term, especially for organizations who want to stay GDPR compliant. In this piece, we’ll clear up everything you need to know about this term.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)