GDPR: risk assessment and DPIA

GDPR is risk-based throughout. The controller must implement technical and organisational measures that are “appropriate in relation to the risk” (Art. 32). That means you need a risk assessment, formal or informal.

For particularly high-risk processing a DPIA (Data Protection Impact Assessment, Art. 35) is required. Supervisory authorities (in Sweden: IMY) publish lists of when a DPIA is always required, plus threshold criteria for other cases.

GDPR risk assessment is compatible with ISO 31000, same identify → analyse → evaluate → treat → monitor.

• Automated decision-making with legal effects

  E.g. automated credit scoring, AI-based decision-making (GDPR Art. 22).

• Large-scale systematic monitoring

  Video surveillance of public spaces, large-scale behavioural tracking.

• Large-scale processing of special-category data

  Health, ethnicity, religion, sexuality, union membership (Art. 9 data).

• Dataset matching

  Combining or comparing datasets from different sources.

• Vulnerable data subjects

  Employees (in the employment context), children, patients, customers in dependent relationships.

• New technology

  AI processing, biometrics, IoT devices, especially when unproven.

• Systematic description of processing

  Purpose, scope, types of data, categories of data subjects, recipients, retention.

• Necessity and proportionality

  Can the purpose be achieved with less privacy intrusion? Is the processing proportionate?

• Risk assessment

  Identify risks to the rights and freedoms of data subjects. Assess likelihood and consequence. The RiskNote part.

• Measures to address the risks

  Technical (encryption, pseudonymisation) and organisational (access control, training) measures.

• Consultation with DPO

  If a DPO exists, their assessment must be documented.

• Consultation with data subjects or representatives

  Where appropriate, e.g. employee representatives for HR processing.

• Prior consultation with supervisory authority

  If risks can't be reduced to an acceptable level, consultation is required before processing begins.

RiskNote fits very well for the **risk-assessment part** of a DPIA (Art. 35.7(c)). The AI can suggest typical risks for personal data processing: unauthorised access, dissemination, purpose drift, insufficient transparency, right to erasure.

RiskNote does not cover the **full DPIA process** (description of processing, proportionality assessment, DPO consultation). A full DPIA template is planned as a free tool Q3 2026.

**EU AI Act**: if your processing involves AI, the EU AI Act (from 2026) requires additional transparency. RiskNote is itself EU AI Act-compliant and labels all AI output per Art. 50.