Risk to individuals

Many requirements of the GDPR including security, appropriate measures, records of processing activities, privacy impact assessments etc., require a consideration of the "risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing".

An objective assessment should be undertaken to establish whether the processing operations involve a risk, or in some cases, a high risk, to the individual, and the likelihood and severity of that risk. 

The following are broad examples of the risks to the individual that the processing of data may lead to:

This relates in particular to processing in the following 6 areas:

  1. Effect on the individual:
    • Discrimination
    • identity theft or fraud,
    • financial loss,
    • damage to the reputation,
    • loss of confidentiality of data protected by professional secrecy,
    • unauthorized reversal of pseudonymisation, or 
    • any other significant economic or social disadvantage 
  2. Where data subjects might be deprived of their rights and freedoms or from exercising control over their personal data
  3. Where special categories of personal data are processed:
    • racial or ethnic origin,
    • political opinions,
    • religion or philosophical beliefs,
    • trade-union membership,
    • the processing of genetic data or
    • data concerning health or sex life or
    • criminal convictions and offences or 
    • related security measures;
  4. Profiling - where personal aspects are evaluated, in particular analysing or prediction of aspects concerning:
    • performance at work,
    • economic situation,
    • health,
    • personal preferences or interests,
    • reliability or behaviour,
    • location or movements,
    • in order to create or use personal profiles;
  5. Where personal data of vulnerable individuals, in particular of children, are processed;
  6. Where processing involves a large amount of personal data and affects a large number of data subjects.

See: Recitals 74-77

Other recitals also refer to risk in relation to the following areas:

Recital 28 - pseudonymisation

Recital 38 - children's data

Recital 51 - special categories of data

Recital 71 - profiling

Recital 83 - encryption

Recital 84 & 90/91 - Data protection impact assessments

Examples of high risk processing (in connection with data protection impact assessments) can be found in Article 35(3)