Data protection law requires a risk-based approach when defining technical and organizational measures. The primary risk is the potential risk to the rights and freedoms of data subjects (GDPR) or the risk of violating personal rights (FADP).

The first step in conducting a data protection-compliant risk assessment is to create a list of personal data processed within the company. In the EU, such a list is mandatory as part of the register of processing activities. Based on this information, the risk of the most likely incidents, such as data leaks, destruction, misinformation, etc., can be assessed.

Based on the identified risk value, it can be determined whether the risk is acceptable or if additional technical and organizational measures are needed to reduce the risk to a moderate level.

In summary, the following steps must be followed:

1. Identify personal data within the company
2. Evaluate the risk for affected individuals
3. Assess whether existing technical and organizational measures are sufficient
4. Take further steps to reduce the risk
5. Document the entire process and obtain approval from management

This process ensures that data protection measures are effectively implemented and that the organization remains compliant with legal requirements.