GDPR Risk Assessment

Operations related to the purposes of processing

Risk factors arising from the stated purpose of the processing and other purposes linked to the main purpose.

Types of data used

Risk factors related to the scope of the processing which arise from the data collected, processed or inferred in the processing.

Extent and scope of data processing

Risk factors related to the scope of the processing after the number of subjects concerned, the diversity of data or aspects processed, the duration in time, the volume of data, the geographical extent, the completeness on the individual, the frequency of collection, etc.

Categories of data subjects

Risk factors related to the scope of the processing related to the category of data subjects, such as employees, minors, elderly, persons in vulnerable situations, victims, disabled persons, etc.

Technical processing factors

Risk factors arising from the nature of the processing when implemented with certain technical features or technologies.

Data collection and generation

Risk factors arising from the nature of the processing when data are collected or generated in a specific way.

Side effects of processing

Risk factors that arise from the context that were not contemplated in the original intended purposes of the processing. In this case, the AEPD has not assessed the level of risk, but only the potential impact. The controller will have to assess the likelihood of these threats materialising in its processing, so the "Likelihood" column is left empty. Once completed, the level of risk can be determined using, for example, the 'likelihood x impact' risk matrix in the Guidance.

Category of controller/processor

Risk factors arising from the specific context of the sector of activity, business model or type of entity. In this case, generallunderstoodd for pocessing that are not part of the entity's support processes.

Data communications

Risk factors arising from the context in which data are communicated to third parties in the context of processing.

Other processing-specific risk factors

It is necessary to study the peculiarities of the processing in order to identify risk factors for rights and freedoms that are not explicitly identified in the GDPR or its implementation. The person responsible for carrying out the risk analysis must carry out a critical analysis of its processing in order to point out those unique situations that could be affected from the point of view of the risks introduced. In particular, those identified in the codes of conduct to which the certification schemes are adhered to.

Security in data processing

Risk factors arising from the possible materialisation of security breaches on personal data.



Purposes No Data
Types of data No Data
Scope No Data
Data subjects No Data
Techniques No Data
Collection No Data
Effects No Data
Controller No Data
Communications No Data
Other No Data
Security No Data

This report is intended as a support document for the implementation of risk management, and in no case replaces it, nor replaces the obligations of those responsible and in charge. The use of tools cannot reduce compliance with the proactive responsibility to a merely formal matter, or a limitation in the decision-making capacity when it comes to assessing risk. No tool, in and of itself, makes decisions that correspond to the controller on the purposes and means of processing, it does not replace the obligations and principles that are applicable to a processing according to its nature, scope, purposes and context, nor does it implement the data protection policies and the measures and safeguards for the management of risk to rights and freedoms.

In any case, when using the results of this tool, it is advisable to add references and comments (documents, links, notes, reports, etc.) on each of the risk assessments carried out.


Analysis of the level of risk and of the obligation of a Data Protection Impact Assessment

GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

The purpose of this tool is to support controllers and processors in their risk management process for the rights and freedoms of data subjects and where required, to carry out the DPIA, in line with the guidelines "Risk management and impact assessment in the processing of personal data" published by the AEPD in July 2021, therefore, prior knowledge of this guide is required in order to be able to correctly use this tool.

The risk factors set out in this tool are not exhaustive, but minimum risk factors, and the data controller shall identify those that are specific to the processing and include them in its assessment taking into account the specific nature, scope, context and purposes of the processing of personal data.

The assessment of the level of risk for each factor carried out by the tool, as well as the final calculation of the level of risk, is of a general nature and represents a minimum assessment that, where appropriate, will have to be adjusted by the controller in order to determine the level of risk of the processing accurately.


The tool runs in a web browser locally (without an internet connection).