Driven by risk: Fostering data protection risk assessment for SMEs and raising risk awareness among the general public

The personal data protection legislation, having the prominent General Data Protection Regulation (GDPR) as the main pillar in the EU, adopts a risk-based approach with respect to the measures that need to be implemented towards demonstrating compliance. A risk-based approach necessitates a risk assessment, which aims to assess in an objective manner the risks that the planned processing of personal data may pose for the rights and freedoms of data subjects.
The data protection and privacy risks’ landscape is becoming increasingly complex, due to the advent of new technologies, in particular Artificial Intelligence (AI) that entails new risks. Currently, there is no formal/structured methodology or approach to efficiently address all the data protection risks. Existing methodologies focus mainly on a subset of data protection risks that are related with the security of processing and the fulfilment of the data protection rights, while just a few address the risks arising from different domains. Moreover, the existing methodologies are mainly constructed within the framework of facilitating Data Protection Impact Assessments (DPIAs) pursuant to the Art. 35 of the GPDR, meaning that they are focused only to specific high-risk processes. Thus, they may not be the proper instruments for an SME.
At the same time, although media reports often warn about data protection risks of new technologies, most users lack awareness of particular adverse consequences that could be the result of the processing of their data. This fact might lead them to underestimate, or even overestimate, the risks arising from the processing of their data. The perception of data subjects to the notion of risk refers to their subjective judgments about the likelihood of negative occurrences from data processing.
The byRisk project, identifying the needs, on the one hand, for providing guidance and tools to facilitate SMEs towards assessing their data protection and privacy risks, and, on the other hand, for providing data subjects with a clear and trustworthy reference of the different risks to their rights and freedoms, along with the possible harms and mitigation methods, pursues two strategic goals:

• To facilitate SMEs with respect to properly identify and analyse all the data protection and privacy risks occurring in the context of the data processing operations they perform.

• To raise awareness regarding data protection and privacy risks to a vast spectrum of stakeholders, including SMEs and the general public.

The byRisk project has received funding from the European Union’s Citizens, Equality, Rights and Values Programme (CERV) under grant agreement No. 101193352 and is coordinated by the Hellenic Data Protection Authority.

Project start date: December 1, 2024
Project end date: November 30, 2026