Turkish Law Blog
The Shift Towards a “Risk-Based Approach” with GDPR: Critical Assessment of its Advantages and Disadvantages
As Gellert notes that ‘data protection is first and foremost a legal framework for the regulation of the risks stemming from the deployment of Information and Communication Technologies into society (and more in particular, the data processing operations they allow for)’, risk-based approach is not a new concept in EU data protection framework but it is now much more visible with General Data Protection Regulation (GDPR). In particular, articles 24 about responsibility of controller, 25 about privacy by-design and by default and 35 about data protection impact assessment (DPIA) have roles that need to be examined when assessing the risk-based approach.
This move towards a risk-based approach has been justified on the basis of making the rules and principles of data protection law more effective. As Kuner notes, the new obligation to identify risks using DPIAs is a part of shift from ‘paper-based bureaucratic requirements’ towards ‘compliance in practice’ . In other words, the risk-based approach could be regarded as a means to enable shift from theory to practice.
The risk based approach can enhance the internalisation of data protection culture among data controllers. It also could be a ‘clearer steer for accountable and responsible organisations that seek to ‘get it right’ for reputational, commercial or other reasons of enlightened self-interest’. Also, in theory it is argued that the cost of compliance for controllers or processors subject to data protection law could be reduced. DPIAs can be seen as a way to make data controllers feel more responsible to data subject. Also, the flexible nature of the risk-based approach could help partially to keep pace with emerging technologies.
However, there are some concerns about this shift towards risk-based approach. The first concern is about compatibility of the risk-based approach to the fundamental rights character of data protection. In other words, it is about inconsistency of the risk-based approach with the right-based nature of data protection law. The other concern is the notion of risk itself in the GDPR. Understanding and the delimiting the correct role of risk which underpins the whole risk-based approach is very important. As noted by Lynskey, perhaps more pertinently, ‘the compatibility of a risk-based approach with the right to data protection will depend on the precise role that risk plays’.
A risk based approach differs from risk regulation. Hustinx argues that it is important to distinguish between two different concepts of risk – first, the idea that ‘risk’ operates as a threshold condition which must be satisfied before any regulation could apply; and second, an approach to regulation in which protection is conferred only in the riskiest of scenarios and processing activities.
The risk-based approach supported by various stakeholders in various interpretations. While some academics conclude that the GDPR risk is about ‘compliance risk’, Art. 29 Working Party argues for a clear separation between compliance and risk issues.
The following part of this paper discusses existing interpretations of the risk-based approach and the notion of risk in the GDPR. The third part critically assesses advantages and disadvantages of risk-based approach making reference to provisions of the GDPR which risk-based approach transpires. The paper concludes that there are some questions remaining and it seems hard to reach a conclusive answer at the moment. The provisions of GDPR which underpin the risk-based approach requires further guidance from the European Data Protection Board and the courts about its application in practice.
- The Risk-Based Approach in the GDPR
The risk-based approach has been supported by various players in separate interpretations.
While some read the ‘risk’ in the risk-based approach narrowly as a ‘yardstick to tailor data controllers’ obligations’; some interprets broadly and view ‘risk’ in the risk-based approach as an organising concept both for compliance and for enforcement. According to first narrower interpretation, the risk-based approach means ‘a scalable and proportionate approach to compliance’; according to latter and broader interpretation, it means that the enforcement carried out by data protection authorities should target just risky instead of all data processing activities. The latter interpretation has potential to detract from the protection ensured by right-based data protection regime and to eliminate core data protection principles.
The GDPR takes a heightened approach to the concept of risk when compared with the Directive that it replaces. There are far more provisions referring to risk in the GDPR, and it generally reflects a move to a risk-based approach. This approach can be justified not only by the need for efficiency and cost reductions but also because of the necessity of ensuring that data protection laws are harmonised as far as possible across the EU. This point has been noted by a number of commentators. For example, Quelle notes the more practical focus of the GDPR: ‘The Regulation as a directly applicable legal instrument can no longer declare that risk should be used as a yardstick to adjust data controllers’ obligation by Member States, as did the Directive, but actually has to specify the calibrated obligations in its text itself.’
In the GDPR the notion of risk can be seen as a core of the accountability principle and the trigger of data controllers’ obligations. Risk becomes an important element of responsibility and the centre of the DPIAs. Risk-based approach is addressed in particular by articles 24, 25(1) and 35 of the GDPR. These provisions enable controllers to calibrate their obligations. Articles 24 and 25(1) sets out the obligations of data controller in the sense of how they should interpret and perform other obligations in the GDPR. While article 24 states the obligations of controllers, article 25(1) states appropriate measures that the controller could take. Article 24(1) provides that:
‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’.
This article refers to implement all the measures to meet with all principles and requirements of the GDPR. It allows scaling but not eliminating data controllers’ and processors’ obligations according to risk resulting from processing activity. In other words; GDPR requires ‘all measures to comply’ to be scaled ‘according to the risks posed by the relevant processing operations’. As Hustinx correctly asserts, ‘more detailed obligations should apply where the risk is higher and less burdensome obligations where it is lower’. The rights of data subject should be guaranteed by data controller regardless of whatever risk posed to data subject. It should not have any effect on protection offered by GDPR to data subjects.
As the GDPR only refers to scalable and proportionate compliance, it is questionable what the real impact of the risk-based provisions will be in practice.
Furthermore, the GDPR introduces risk in the context of new obligations including Article 30 an obligation to keep records of processing activities, Article 25 principle of privacy by design and by default. In some articles; such as Article 35 Data Protection Impact Assessments, Articles 33-34 data breach notifications, Articles 37-39 related to data protection officers; risk level triggers the applicability of requirements which will become obligatory to data controllers only if their processing activities includes a risk or a high risk to data subjects.
- The Distinct Interpretations of the Notion of Risk
As the notion of risk in the GDPR incorporates with risk-based approach, understanding the notion of risk is quite important. Article 35 of the GDPR contains key elements to understand the notion of risk in the GDPR. It reveals the ambiguity of the meaning of the risk in the GDPR. Article 35(1) provides that:
‘Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.’
Gellert emphasises the contradiction inherent in the object of the article and notes the uncertainty about what is intended. To illustrate this, he poses the hypothetical question whether the assessment in the article is an assessment of the likely high risk to the data subject\\\'s rights and freedoms, or the impact on the protection of personal data. When he defines risk, he states the fact that risk is composed of both event and its consequences. And he defines the GDPR risk as a ‘compliance risk’. The ‘event’ element of compliance risk is ‘lack of compliance’ and the ‘consequence’ element of it is ‘the risks to the data subjects’ rights and freedoms’. This understanding of risk is in contradiction with Art. 29 WP statements as well as several DPIA methodologies, which adopts clear distinction between risk and compliance.
Considering Art. 29 WP’s recently published revised guidelines on DPIAs, a risk can be defined as ‘a scenario describing an event and its consequences, estimated in terms of severity and likelihood’. Gellert notes that although this definition is not meet with the ‘event’ and ‘consequence’ elements separately; it is compatible with ISO’s definition. ISO embraces the distinct roles of event and consequence by providing ‘risk is often characterized by reference to potential events and consequences or a combination of these’.
The Art. 29 WP has always supported the adoption of risk-based approach and released statements to clarify the role of risk-based approach in data protection legal framework and more recently its guidelines on DPIA.
In its 2014 statement on risk-based approach, the A29WP has stated a clear view in favour of fundamental rights objective of EU data protection law and argued that ‘the risk-based approach is increasingly and wrongly presented as an alternative to well-established data protection rights and principles, rather than as a scalable and proportionate approach to compliance’ It argues legal requirements could not be optional and there is no discretion to the data controller about the data subjects’ rights. This statement clearly in line with right-based nature of GDPR and also it is possible to say that this statement has influenced a number of DPIA methodologies.
The Art. 29 WP revised Guidelines on DPIA is in line with its 2014 statement as well. Although the purpose of this revised Guidelines is not about the risk-based approach, DPIAs contains number of elements to understand the risk notion in the GDPR.
The first interpretation about risk-based approach in the GDPR is in favour of clear separation between compliance and risk. The second one is in favour of ‘compliance risk’ which states compliance issues are integrated into the risk calculation. Geller notes, ‘the key for thinking this integration lies in the notion of scalability.’ For example, ignoring data minimisation principle may result with violation of data subjects’ fundamental rights. But how much minimisation is required in order to comply with the data minimisation requirement? These question shows the fact that compliance is inherently scalable. It can be found in A29 WP statement, it provides that ‘fundamental principles applicable to the controllers should remain the same, whatever the scope of processing and the risks for the data subjects. However, ... they are inherently scalable’. Actually this creates confusion as it integrates compliance into risk which is in contradiction with A2WP’s abovementioned interpretation.
Recital 78 articulates the relation between data subjects’ fundamental rights and freedoms and compliance by stating: ‘The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met’. Gellert asserts, ‘addressing the risks to the data subjects’ rights and freedoms directly influences the level of compliance. This shows well that compliance is an integral element of the risk analysis exercise’.
Two different interpretations have been discussed to define the GDPR risk. The first one defends that compliance issues should be held out of the risk analysis processes. In other words, compliance should always take place and risk assessments should only come on top of that. As mentioned above, this approach finds support in WP29 documents and its 2017 DPIA Guidelines as well as several DPIA methodologies.
The second interpretation which Gellert defends states that ‘compliance should be directly integrated in the risk analysis process (as the “event”) insofar as it is the only possible way to achieve a number of additional goals associated with the risk-based approach (protection on the ground and scalability of compliance obligations)’
Moreover, the GDPR leaves the door open to data controllers about which impact assessment methodology should be purchased. Recital 90 states requirement of an objective method but GDPR remain silent in the context of how these risks to data subjects’ rights and freedoms will be assessed. The Art. 29 WP in its 2017 Guidelines argues that data controllers should be afforded the choice of impact assessment methodology in the name of a certain flexibility This means that the notion of risk purchased in impact assessment methodologies will be the key factor determining the protection afforded by the risk-based approach. Thus, the way risk is defined and understood is quite independent from GDPR.
Furthermore, in addition to implementation of risk-based approach in GDPR, some argue that the GDPR seems to purchase a number of elements of risk regulation; such as the institutional arrangements, risk scoring and public participation in regulation. However, since the risk regulation is not the subject of this study, I will only mention this issue to consider in the following part of this paper.
- Reflections of the Risk-Based Approach
This section focuses these unresolved challenges such as the difficulty of placing the risk in right-based regulation due to data protection foundations, too much faith in data controllers’ actions and ambiguous notion of risk which underpins shift towards risk-based approach.
- Will the Risk-Based Approach Protect Fundamental Rights Sufficiently?
Data protection law reflects aspects of social and economic legislation; it is a cluster concept. However, in essence, it purchases societal aims and its dominant objective is to protect individuals against negative impacts of data processing activity. This increased emphasis on fundamental rights objective of EU data protection law is placed in GDPR. Article 1(2) of the GDPR and the Council’s General approach explicitly state that the GDPR ‘protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data’. This indicates right to data protection as a central focus of EU data protection.
The GDPR now also purchases risk-based approach, as it addresses in articles 24, 25 and 35 that the controllers need to take into account the risk when they take measures to comply with GDPR.
The damages include physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data. In GDPR, the risks exemplified in an abstract way and need to be defined by data controllers according to specificities of each processing case.
Also, as mentioned above, according to some academics, the GDPR purchases some elements of risk regulation. However, while risk regulation is focused on potential harm and negative consequences, the data protection law purchases broader aim. The right to data protection is protected regardless of harms. Lynskey argues that regardless of existence tangible or intangible harm there is always general interest to grant control over their personal data to individuals. As opposed to approach of Art. 29 WP, some argues data protection authorities should target only risky processes rather than all data processing activities However, there is little agreement on what is meant by the ‘privacy risk’ faced by individuals and society’. Although the Art. 29WP states that ‘the risk-based approach should go beyond a narrow “harm-based” approach that concentrates only on damage and should take into consideration every potential as well as actual adverse effect’, there is no clarity about such risks exist. The controllers not able to evaluate risks from the eye of the beholder, they can only identify risks in a generalized manner. This idea undermines European standards and such an approach could not be accepted.
The EU data protection law has different foundations than risk regulation. It reflects aspects of economic and social regulation but now also places an increased emphasis on a risk-based approach to data protection. It is complex to align risks with right-based regulation. This risk-based approach also potentially detracts from the protection offered by the data protection regime. A pure risk-based approach would not read the data protection as a priority and protect data protection right sufficiently.
- Will Data Protection Be in the Hearts and Minds of Data Controllers?
Data protection law is always known with its difference between theory and practice.. Reliance on risk-based approach can be seen as a need to keep pace with emerging technology. In the era of big data, it is not possible to address all the negative impacts sufficiently resulting from the collection and use of data.  In this sense, the shift to risk-based approach (e.g. data protection impact assessment, privacy by default) partially reduces the difficulties about big data. In this light, the provisions of GDPR regarding risk-based approach offers a partial remedy to negative outcomes resulting from use of big data.
DPIAs as a new obligation on data controllers are seen as an ex ante ‘new enforced self-regulation model’ which ‘put faith in controller actions’. However, controllers’ position to assess risks and prevent harms is questionable. According to Koops, ‘as long as data protection is not in the hearts and minds of data controllers—and the law so far has done a poor job in reaching those hearts and minds.’ He also argues that DPIAs just will be paper checklist that controllers obliged to show auditors and authorities if they ever ask for it. 
While the idea of new business models is collecting data as much as it is possible, data controllers do not intent to limit data processing at minimum. They conduct their practices with the purpose of what is necessary for their business until and if they are asked by the data protection authorities. The risk-based approach as ‘the key enforcement method (...) leaving data protection issues mainly to data controllers to decide’ is certainly debatable as regards its effectiveness.
- The Nature of the Risk Required by the GDPR
Risk based-approach requires clear notion of risk. The notion of risk in the GDPR focuses ‘physical material and non-material damages’ or ‘tangible and intangible damages’ that affect the ‘rights and freedoms of natural persons’. This is compatible with right-based approach which focuses on rights protection rather than general trade-off between risks and benefits. According to this approach, if a risk to fundamental rights exists and cannot be excluded or reduced, data processing becomes unlawful without considering existence of any legitimate ground to processing activity.
In Recital no 75, the Council provides an illustrative list of cases where data processing activity is considered unlawful by referring ‘The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.’
Recital 75 adopts broader assessment of different applications of data use. This represents an important step as it does not limit these assumptions to the data security, as did in the Directive, and takes into account any other social and economic disadvantages. This assumes significant relevance in big data context, where analytics may have negative impacts on individuals in terms of such as discrimination rather than data security. However, the provisions of GDPR do not provide an adequate framework on how to assess this kind of negative outcome. The understanding of the harms both tangible and intangible as well as actual negative impacts on individuals constitutes a starting point on risk assessment activities.
In the EU, there is a high level of uncertainty about how risk should be understood in the context of GDPR. It has been claimed by the Member States that no comprehensive definition of risk exists because; the level of risk depends the types of processes and law is not able to take into account and define all current risks in detail such as famously called “unknown unknowns”.
The GDPR relies on risk when set up responsibilities of data controllers and states that data controllers and data protection authorities will have the responsibility to assess and measure the risk of processing activities to data subjects. In the information security context risk can be identified and evaluated objectively considering events and threats to security. However, defining and establishing the risk is much more complex as far as the negative impact on a data subject’s rights and freedoms is concerned. Because potential harms are not limited to well-known privacy-related risks.
It does not seem possible to create an exhaustive list of harms arising from data processing.
There has been attempts from academia but still there is no comprehensive list of such harms exists. The GDPR is not only silent about how these risks to data subjects’ rights and freedoms will be determined in practice, but also it is silent about the choice of DPIA methodology. In the same line with the GDPR, the Art. 29 WP in its 2017 Guidelines keeps the door open by stating ‘the GDPR provides data controllers with flexibility to determine the precise structure and form of the DPIA in order to allow for this to fit with existing working practices.’
Also, negative effects of data-driven technologies can be on not only individuals but also to their communities, groups societies. As Spina notes, ‘the new digital service and products, in fact, present risks that cannot be easily measured or quantified in accordance with a mere technocratic paradigm; they do not only affect the individuals that use them, but transform the collective fabric of our society; they concern the cognitive rather than the physical integrity of human beings.’ The GDPR considers the group and social dimension of risks, but its assessment in practice remains unclear.
As stated above, the GDPR explicitly obliges controllers to enact compliance measures which take account of the risks of physical, tangible or intangible damage as a result of data processing. However, as the negative impact on individuals often might be intangible as well as tangible, it is necessary to identify and consider these intangible harms. According to Lynskey, because of intangible harms left articulated, it is not possible to justify the broad scope of EU data protection law. However, she suggests that at least, ‘the following intangible harms should be considered ‘a sense of individual powerlessness vis-à-vis data processors, an erosion of the ability of individuals to self-present, the inhibition and controlling of individual behaviour, and apprehension regarding future harms that may result from personal data processing’  Negative impact can vary from one individual to another and sometimes it is not possible to known by data controller. Likewise, the individuals it can differ from group to group. There are many factors that can affect something is being risky; such as on an individual level, age, previous experience, understanding, education, nationality, cultural values. For example, it is not likely for the child and the adult to experience same harm from the same risks.
For all these reasons mentioned above, Mantelero suggests that the existing DPIA should adopt the concept of Privacy, Ethical and Social Impact Assessment (PESIA), which measures negative outcomes considering societal and ethical consequences of data uses. He states that assessment considering social and ethical values is more complicated than traditional data protection assessments. Because social and ethical values are context-based and change from community to community.
There are questions remaining about whether DPIAs adequately addresses the risks to vulnerable individuals or should they be calibrated to specific individuals’ or groups’ needs. Are data controllers rightly placed to see the risk from the eye of the beholder? Could it be guaranteed that the DPIAs will ensure a level of protection across the EU when data controllers adopt different risk assessment methodologies? These questions require further guidance from the European Data Protection Board and the courts. As Lynskey notes, a concern exists that ‘data controllers, processors, and DPAs will underestimate the risks entailed by certain personal data processing, leading to an under-enforcement of rules’.
The concept of risk is a major plank of EU data protection law, forming a significant factor through the risk-based approach to regulation adopted under the GDPR. Risk is assigned a number of new functional roles under the GDPR when compared to the more limited role taken by risk under Directive 95/46/EC, where it was largely confined to the areas of data and information security. By contrast, under the GDPR, risk forms a core part of the accountability principle and triggers new obligations for data controllers. According to some academics, GDPR has been approaching to risk regulation and reflects some main elements of risk regulation.
These risk-based approach and involvement of risk in the GDPR present some challenges with the right-based nature of data protection law. Right-based regulation has different foundations than risk regulation. As it is not surprise, the possibility to match them is a quite complicated issue while they have different foundations. The reliance on risk as a regulatory tool shifts responsibility to data controllers for the protection of fundamental rights. This raises complex questions as the controllers are not in a good position to consider and assess risks correctly.
Also, an ambiguous notion of risk constitutes an obstacle to assess risks. It might lower the protection for data subjects as well. Because risks involving social and ethical values are not objective like in data security which could be assessed and measured through feared events and threats; instead, it is subjective, context-based and hard to evaluate.
There is no comprehensive list about privacy harms and negative impacts on individuals. The GDPR does not set out sufficient detail in its provisions to provide certainty as to the approach to be taken when assessing these types of negative impacts. Therefore, it is not possible to identify and assess them objectively and successfully by privacy risk management tools and methodologies as data controllers are entitled to choose their own impact assessment methodology. The unresolved issues maybe waiting for to be answered in time through the sector-specific DPIA frameworks which develops best-fitting methodologies for specific context.
To conclude, DPIAs should consider potential societal harms, risks and implications for fundamental rights, well-being of citizens, common good, work, leisure, environment, ethical values, social relations and so on. In order to achieve this, considering that data subjects are uniquely placed to assess the risk which a particular data processing entails them personally, a multi-stakeholder dialogue is needed.
- Article 29 Data Protection Working Party (2013b) ‘Statement of the Working Party on Current Discussions Regarding the Data Protection Reform Package’
- Article 29 Data Protection Working Party (2014) ‘Statement on the role of a Risk-Based Approach in Data Protection Legal Frameworks’
- Article 29 Data Protection Working Party (2017) ‘Revised Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
- Centre for Information Policy Leadership, ‘A Risk-based Approach to Privacy: Improving Effectiveness in Practice’ (2014) <https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf> accessed 17 May 2018
- Council of the EU, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)—Preparation of a general approach 9565/15, 11 June 2015: http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf accessed 17 May 2018.
- Gellert R, ‘Data Protection: A Risk Regulation? Between the Risk Management of Everything and the Precautionary Alternative’ (2015) 5 International Data Privacy Law 3, 3.
- Gellert R, ‘Understanding the Notion of Risk in the General Data Protection Regulation’ (2018) 34 Computer Law & Security Review 279.
- Gonçalves M, “The EU data protection reform and the challenges of big data: remaining uncertainties and ways forward” (2017) 26(2) Information & Communications Technology Law 90, 114.
- Hustinx P, ‘EU Data Protection Law: The Review of Directive 95/46 EC and the Proposed General Data Protection Regulation’ (2014) 1, 38: <https://edps.europa.eu/sites/edp/files/publication/14-09-15_article_eui_en.pdf> accessed 17 May 2018.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
- ISO 31000 (2018) Risk Management Guidelines. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en accessed 17 May 2018, 1.
- Koops B, “The trouble with European data protection law” (2014) 4(4) International Data Privacy Law 250.
- Kuner, C. ‘The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law’ (2012) 11 (6) Privacy & Security Law Report 1.
- Lynskey O, ‘The Foundations of EU Data Protection Law: The Dual Objectives of European Data Protection Regulation (Oxford University Press 2015) 82
- Macenaite M, ‘The “Riskification” of European Data Protection Law through a Two-fold Shift’ (2017) 18 (3) European Journal of Risk Regulation 506, 515.
- Quelle C, ‘The ‘risk revolution’ in EU data protection law: We can’t have our cake and eat it, too’ (2017) Tilburg Law School Legal Studies Research Paper Series 1, 8.
- Spina A, ‘A Regulatory Mariage De Figaro: Risk Regulation, Data Protection, and Data Ethics’ (2017) 8 European Journal of Risk Regulation 88.
 Raphael Gellert, ‘Data Protection: A Risk Regulation? Between the Risk Management of Everything and the Precautionary Alternative’ (2015) 5 International Data Privacy Law 3, 3.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
 Orla Lynskey ‘The Foundations of EU Data Protection Law: The Dual Objectives of European Data Protection Regulation (Oxford University Press 2015) 82.
 Christopher Kuner, ‘The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law’ (2012) 11 (6) Privacy & Security Law Report 1.
 Claudia Quelle, ‘The ‘risk revolution’ in EU data protection law: We can’t have our cake and eat it, too’ (2017) Tilburg Law School Legal Studies Research Paper Series 1, 8.
 Milda Macenaite, ‘The “Riskification” of European Data Protection Law through a Two-fold Shift’ (2017) 18 (3) European Journal of Risk Regulation 506, 515.
 Centre for Information Policy Leadership, ‘A Risk-based Approach to Privacy: Improving Effectiveness in Practice’ (2014). <https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf> accessed 17 May 2018
 Lynskey (n 2) 84.
 Macenaite (n 6).
 Lynskey (n 2) 85.
 Peter Hustinx, ‘EU Data Protection Law: The Review of Directive 95/46 EC and the Proposed General Data Protection Regulation’ 1, 38: <https://edps.europa.eu/sites/edp/files/publication/14-09-15_article_eui_en.pdf> accessed 17 May 2018.
 Raphael Gellert, ‘Understanding the Notion of Risk in the General Data Protection Regulation’ (2018) 34 Computer Law & Security Review 279.
 Macenaite (n 6) 517.
 Art. 29 WP (2014) ‘Statement on the Role of a Risk-Based Approach in Data Protection Legal Frameworks’.
 Macenaite (n 6) 517.
 Quelle (n 5).
 Maceniate (n 6) 524.
 Quelle (n 5) 9.
 Hustinx (n 12).
 GDPR Article 35.
 Gellert (n 12) 281.
 ISO 31000 (2018) Risk Management Guidelines. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en accessed 17 May 2018, 1.
 Art. 29 WP (n 14) and Article 29 Data Protection Working Party (2013b) ‘Statement of the Working Party on Current Discussions Regarding the Data Protection Reform Package’
 Article 29 Data Protection Working Party (2017) ‘Revised Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
 AWP29 (n 25) 2.
 Gellert (n 12) 279.
 ibid, 284.
 A29WP (n 25).
 GDPR Recital 78.
 Gellert (n 12) 286.
 A29WP 2017 (n 26) 17.
 Maceniate (n 6)525. See also Alessandro Spina, ‘A Regulatory Mariage De Figaro: Risk Regulation, Data Protection, and Data Ethics’ (2017) 8 European Journal of Risk Regulation 88.
 Lynskey (n 3).
 Council of the EU, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)—Preparation of a general approach 9565/15, 11 June 2015: http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf accessed 17 May 2018.
 Spina (n 36).
 Lynskey (n 3) 195.
 Macenaite (n 6).
 CIPL (n 7).
 Lynskey (n 3).
 Macenaite (n 6).
 Bert-Jaap Koops, “The trouble with European data protection law” (2014) 4(4) International Data Privacy Law 250.
 Macenaite (n 6).
 Spina (n 36).
 Koops (n 45).
 Maria Eduarda Gonçalves, “The EU data protection reform and the challenges of big data: remaining uncertainties and ways forward” (2017) 26(2) Information & Communications Technology Law 90, 114.
 GDPR Recital no. 75.
 ‘We also know there are known unknowns; that is to say we know there are some things [risks] we do not know. But there are also unknown unknowns, the ones [risks] we don\\\'t know we don\\\'t know.’
 Art. 29 WP (n 27).
 Macenaite (n 6).
 Spina (n 36).
 Lynskey (n 3) Conclusions and Future Prospects, 257.
 Alessandro Mantelero, ‘Regulating big data. The guidelines of the Council of Europe in the context of the European data protection framework’ (2017) 33 Computer Law & Security Review 584, 589
 Lynskey, (n 3) 86