Data protection law requires a risk-based approach when defining technical and organizational measures. The decisive risk here is the risk to the rights and freedoms of data subjects (GDPR) or the risk of a violation of personal rights (DSG).

The first step towards a data protection-compliant risk assessment is to create a list of personal data that is processed in a company. In the EU, such a list is already mandatory by keeping a register of processing activities. Based on this information, the risk of the most likely incidents can be assessed, such as data leaks, destruction, misinformation, etc.

Based on the identified risk value, it can be decided whether the risk is appropriate or whether further technical and organizational measures are necessary to reduce the risk to a moderate level. In summary, the following steps must be followed:

• Identify personal data in the company
• Evaluate risk for affected persons
• Evaluate whether existing technical and organizational measures are sufficient
• Take further steps to reduce the risk
• Documentation of the entire process and obtain approval from management