Human risk – risk to rights, freedoms, welfare and interests of individual human beings – is the core of data protection. As organisations tend to default to considering risk solely in terms of business impact (to financial, commercial, operational, legal position); it is explicitly written in the GDPR that human risk must be considered and factored into decision-making; particularly when high-risk processing is envisaged.

There’s a wealth of info out there about the process of conducting a DPIA; templates, checklists, and guidance which tells reader to think about impacts to data subjects’ rights and freedoms, but provides not much assistance in doing so. Fair enough, because the answer to “what rights and freedoms do I need to think about, and why?” is “it depends on the nature, scope, context and purposes of the processing”, which is very difficult to turn into a template, checklist or guidance document that doesn’t just cop-out and say “it depends, go and think about it”.

I spend a lot of time thinking about how data harms can occur, and came up with this mind map to help steer my thinking. It’s not exhaustive and it doesn’t provide a list of if-then rules, but as there are some technologies which will inevitably impose adverse impacts on data subjects unless/until active measures are taken to correct for, avoid, prevent, detect and resolve such effects, I have sketched them out here.

Happy risk-assessing!

(PDF versions available to Patrons on request)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.