The risk-based approach is a pillar of EU data protection law, mandating data controllers and processors to adapt their obligations to reflect the level of risk to the rights and freedoms of natural persons. Despite clear aims of strengthening data protection, accommodating diverse interests and providing greater flexibility in complying with the law, understanding and assessing this risk presents particular conceptual and practical challenges. This paper seeks to clarify these issues to improve legal compliance and safeguard fundamental rights. First, it scrutinizes the nature of such risk and its assessment, examines related concepts, like damage, and explores inherent problems. Next, it expands the understanding of such risk by introducing a broader, more comprehensive construct of ‘negative consequences’, provides concrete, precise examples and proposes their typology. Subsequently, it presents a method for efficiently identifying these consequences, i.e., an inventory with complementary classification criteria. It concludes by discussing the applicability of our findings in sister domains of law and suggesting further research.
Kloza et al. (Mon,) studied this question.