• Arts
  • Language Services
  • Furniture
  • Educational Services
  • Private Equity
  • Event Management
  • Nonprofit / Foundation
  • Manufacturing
  • Information Technology
  • Human Resources
  • Hotels and Restaurants
  • Health Care & Pharmaceuticals
  • Media - Broadcast and Publishing
  • Engineering / Construction
  • Food Products, Beverages and Tobacco
  • Petroleum Industry
  • Wholesale and Retail Trade
  • Travel and Leisure
  • Transporting, Moving and Warehousing
  • Telecommunications
  • Security Services
  • Real Estate
  • Marketing and Public Relations
  • Energy
  • Finance
  • Consumer Goods
  • Law Companies
  • Consultancy
  • Architecture
  • Airlines


GDPR – Office for personal data protection publishes a risk assessment methodology

Company: Eversheds Sutherland

On 7 February 2018, the Office for Personal Data Protection (the "Office") published a draft methodology for assessing the risk of personal data processing. The risk of processing is a key factor to correctly determine the corresponding obligations of each data controller and processor under the GDPR

One of the new responsibilities for data controllers under the GDPR is to perform a data processing impact assessment (DPIA) when processing is likely to result into a high risk. The GDPR does not specify the risk assessment details. The Office's methodology supplements its regulation and stipulates 15 specific criteria for assessing the risk of processing (e.g. extent of processing, sensitivity of the data, degree of monitoring or vulnerability of data subjects), which is further divided into three levels according the seriousness. 

Although it is not the final document, the Office's published risk assessment methodology in relation to DPIA is a significant refinement of the existing methodology of the EU Working Party WP29. In addition, it is evident from the draft that the number of processing activities that should be subject to the DPIA according to the Office should be lower than if it were based only on the WP29 guidelines. It will not include, for example, bookkeeping or operation of a CCTV system without excessive monitoring of public areas or employees. The full text of the draft is available HERE.

In case of any question please contact our GDPR experts: 

Mgr. Ing. Radek Matouš Managing Attorney E radek.matous@dhplegal.com T +420 255 706 554 

Mgr. Marek Bomba, LL.M. Managing Attorney E marek.bomba@dhplegal.com T +420 255 706 548

Tags: Law |

AmCham Corporate Patrons



Are you sure? Do you really want to delete this item?