Risk assessments are assessments that you as a data controller must make of the risks to which the data subjects (customers, employees, etc.) are exposed.

Risk assessments are important because the regulation basically requires risk assessment to ensure that technical and organizational security measures are proportional to the information you as a data controller process. This means that you plan your security measures based on what data you handle to achieve the best possible security and protection of the data subject’s information.

Risk assessments are carried out in three steps:

• First, a risk is defined
• Then any risk categories are defined
• Finally, a risk assessment is carried out that describes how the risk specifically affects the individual category, work process, IT system or data recipient.

To navigate the different items:

When you click on ‘risk assessments’, a sub bar will open with the following options:

1. Risks: All work processes, IT systems/information assets and data recipients must be risk assessed to ensure full protection of the data subject.
2. Risk categories: It may be an advantage, to facilitate the work with the assessments, to group the assessments into categories. You can get some inspiration for different risk categories in the bottom of this page.

Navigation to risks

To access, create and edit risks, you must log in to the portal. Inside the portal, on the left side, you will find a bar where you must click on ‘Risk assessments’, after which a subbar will open. Here, click on ‘Risks’ to open the overview of risks. The overview is divided into different areas:

1. Create a risk.
2. This icon is an information icon. Click here to read more about risks.
3. When wanting to edit a risk, click here.
4. By clicking on this icon, you will delete a risk.
5. This icon is an archive icon. If you click here, the risk will be archived.
6. This is an overview of existing risks, as well as the status of risk assessments.

When you click ‘create’ a window will open. Here you need to specify the title of the risk and create risk assessment. When creating risk assessment, you must choose which type it is. Read more about how to create a risk assessment here.

Navigation to risk categories

A risk category is a grouping of work processes, IT systems/information assets and/or data recipients that have the same risks associated with them and where therefore a single risk assessment can be carried out for the category.

It is a fundamental requirement for the regulation that risk assessment is carried out to ensure that technical and organizational security measures are proportional to the information you as a data controller process.

As the regulation does not impose requirements on how detailed the risk assessments must be, you can group your work processes, etc., if these are subject to the same risks. This makes the risk assessment process more efficient and manageable.

How to work with risk categories

To access, create and edit the risk category, you must log in to the portal. Inside the portal, on the left side, you will find a bar where you must click on ‘Risk assessments’, after which a subbar will open. Click here on ‘Risk categories’ to open the overview of the categories. The overview is divided into different areas:

1. Create a risk category
2. Edit an existing risk category
3. Advanced search function
4. Delete risk category
5. Archive risk category
6. Overview of risk category titles
7. Overview of whether a risk assessment has been carried out and its status.
8. Status on whether it is an accepted risk.

When you click ‘create’ (1) or edit (2) a window will open. Here you need to specify a title, describe the category and add elements. Clicking on ‘add items’ opens a list where you can choose between work processes, IT system / information asset and / or data recipient.

Suggested risk categories

It is important that the categories are made on the basis of the individual company’s specific circumstances. Below you can see GapSolution’s suggestions for which risk categories that may be relevant to consider:

• Enforcement of the data subject’s rights (requests for access, rectification, etc.)
• Processes for IT development that the company handles internally
• IT systems/information assets using only ordinary personal data and not used for critical functions
• Processing of contact information (customers, suppliers, etc.)
• Customer-facing services
• Accounting
• Employee data (HR)
• Physical security of the company (alarms, monitoring, etc.)

The above is only an inspiration list, and the categories should be based on a specific assessment in the individual company. IT systems with a particularly critical function should always be risk assessed separately.