The concept of a risk-based approach to data protection came to the fore during the overhaul process of the EU's General Data Protection Regulation (GDPR). At its core, it consists of endowing the regulated organizations that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. This book provides a comprehensive analysis of this legal and policy development, which considers a legal, historical, and theoretical perspective.
By framing the risk-based approach as a sui generis implementation of a specific regulation model 'known as meta regulation, this book provides a recollection of the policy developments that led to the adoption of the risk-based approach in light of regulation theory and debates. It also discusses a number of salient issues pertaining to the risk-based approach, such as its rationale, scope, and meaning; the role for regulators; and its potential and limits. The book also looks at they way it has been undertaken in major statutes with a focus on key provisions, such as data protection impact assessments or accountability.
Finally, the book devotes considerable attention to the notion of risk. It explains key terms such as risk assessment and management. It discusses in-depth the role of harms in data protection, the meaning of a data protection risk, and the difference between risks and harms. It also critically analyses prevalent data protection risk management methodologies and explains the most important caveats for managing data protection risks.
Introduction: The Risk-Based Approach as the Opposite of the Rights-Based Approach, or as an Opportunity to Analyse the Links Between Law, Regulation, and Risk? 1: Fundamental Notions: Risk and Regulation 2: Data Protection as Command and Control Regulation 3: Issues with Data Protection as Command and Control Regulation 4: Changes of Regulatory Models: From Command and Control to Meta Regulation 5: Meta Regulation in Data Protection Law: The Risk-Based Approach 6: Risk and the Risk-Based Approach: Between Data Protection Risks and Compliance Risks 7: The Risk-Based Approach in Practice: Caveats Conclusion: Back to the Rights/Risk-Based Approaches, and the Future of Data Protection
Raphaël Gellert is an assistant professor in ICT and private law at Radboud University, where he is a member of the Radboud Business Law Institute, and of the interdisciplinary Hub for Security, Privacy and Data Governance. He is also an affiliated researcher at the Research Group on Law, Science, Technology & Society (LSTS) of the Vrije Universiteit Brussel (VUB).