Contact
Another of the great novelties of the RGPD is the incorporation of the "risk approach". In this sense, it points out that the measures aimed at ensuring compliance must take into account the nature, scope, context and purposes of the treatment, as well as the risk to the rights and freedoms of individuals.
According to this approach, some of the measures that the GDPR establishes should only be applied when there is a high risk to rights and freedoms, while others should be modulated according to the level and type of risk presented by the treatments.
Therefore, the application of the measures provided for by the GDPR must be adapted to the characteristics of the organizations. What may be suitable for an organization dealing with data of millions of interested persons, in complex treatments involving sensitive personal information or significant volumes of data about each affected person, is not strictly necessary for a small entity carrying out a limited volume of non-sensitive data processing. You will also need to review and update the measures when necessary.
In this context, art. 28.2 of Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights, lists, in a non-exhaustive manner, a series of cases that can generate a higher risk.