Risk and Proportionality in GDPR
In current political discussions about the General Data Protection Regulation many GDPR advocates claim that burdens for individuals and SMEs would not be too heavy because of two reasons:
- Many obligations would not apply because they were risk-based. Controllers would have to fulfill these obligations only if their processing of personal data would result in a certain degree of risk.
- Many obligations would not apply because of the principle of proportionality. Controllers would not have to fulfill these obligations if the fulfillment would involve a disproportionate effort.
On the other hand, the risk-based approach is hardly considered, if not ignored, by supervisory authorities (especially the German ones).
The above graph shows all 68 controllers' obligations. Obligations that may be scalable or inapplicable because of a lack of risk or because they are disproportionate are shown in green. In most cases, only the technical and organisational measures to be taken in order to fulfill the obligations are scalable. This, however, could have repercussions on the obligation itself.
See for yourself if risk and proportionality are reducing controllers' burdens in a noteworthy way.