The OECD’s Working Party on Security and Privacy in the Digital Economy (Working Party), and the Centre for Information Policy Leadership (Centre), issued a white paper on ‘The Role of Risk Management in Data Protection.’

This paper explores the link between risk and accountability, and focuses on three key areas: (1) addressing the role of risk management in data protection as implemented into legal requirements, interpreted by regulators, and put into practice by responsible organisations; (2) the growing consensus around risk management as an essential tool for effective data protection; and (3) key considerations that affect the role of risk in data protection law and practice.

The white paper states that risk management does not alter rights or obligations, but is an essential tool for prioritising activities, raising awareness of risks, and for risk remediation and mitigation in line with the EU Art. 29 Working Party’s “scalable and proportionate approach to compliance.” It also discusses that the OECD could play a key role in helping to develop and implement a privacy framework.

Several data-protection authorities in the EU, particularly in France and Germany, have raised concerns that a risk-based approach to data protection could potentially weaken fundamental rights. The white paper demonstrates that a risk-based approach which focuses on the likelihood and severity of harms from the individual’s perspective could in fact strengthen data protection.