On 7 February 2018, the Office for Personal Data Protection (the "Office") published a draft methodology for assessing the risk of personal data processing. The risk of processing is a key factor to correctly determine the corresponding obligations of each data controller and processor under the GDPR.
One of the new responsibilities for data controllers under the GDPR is to perform a data processing impact assessment (DPIA) when processing is likely to result into a high risk. The GDPR does not specify the risk assessment details. The Office's methodology supplements its regulation and stipulates 15 specific criteria for assessing the risk of processing (e.g. extent of processing, sensitivity of the data, degree of monitoring or vulnerability of data subjects), which is further divided into three levels according the seriousness.
Although it is not the final document, the Office's published risk assessment methodology in relation to DPIA is a significant refinement of the existing methodology of the EU Working Party WP29. In addition, it is evident from the draft that the number of processing activities that should be subject to the DPIA according to the Office should be lower than if it were based only on the WP29 guidelines. It will not include, for example, bookkeeping or operation of a CCTV system without excessive monitoring of public areas or employees. The full text of the draft is available HERE.