Risk is an important concept in the GDPR. The presented view that data protection is about mending the power imbalance between controller and data subject clarifies also the notion of risk:
The main risk is that the processing of personal data indeed results in a power imbalance that restricts the rights and freedoms of the affected individuals. From this point of view, it becomes clear that the risk is not that some undesirable event occurs (such as an attack or a natural disaster), but much rather that the controller exerts excessive power over data subjects.
Note that this understanding of risk is very different from risk in cybersecurity. There, the controller is typically seen as the “good guy” defending against predominantly external “attacks”. In data protection in contrast, the controller’s behavior, i.e., the processing activity, is the source of risk. The likelihood that this occurs is 100%. Unlike in cybersecurity, controllers now have to protect the weaker data subject from risk resulting from their own processing. Controller are thus no longer automatically the good guys, but have to make explicit efforts to not become bad guys themselves.
For people mostly familiar with cybersecurity, understanding data protection may require a significant mental shift. Understanding this difference is a pre-requisite to being able to comply with the GDPR. For further reading we recommend an article about eight different types of risk.
1See for example Art. 24(1), 35(1) and Recitals 75 and 84. ↑
2Martin Rost, Risks in the context of data protection, http://www.maroki.de/pub/privacy/Rost_Martin_2019-02_Risk:_8types_v1.pdf (last visited 8/5/2020). ↑