How to Identify and Mitigate High-Risk Data Processing Activities

Understanding High-Risk Processing

Under GDPR, "high-risk" processing is not precisely defined but characterized by indicators that suggest significant potential impact on individuals. The EDPB's nine criteria (evaluation/scoring, automated decisions, systematic monitoring, sensitive data, large scale, combined datasets, vulnerable subjects, new technologies, and blocking access to services) provide the primary framework for identification.

Risk Identification Methodology

Follow a structured approach to identify risks in your processing activities:

1. Map data flows: Document every step from collection to deletion, including third-party sharing.
2. Identify threat sources: External attackers, malicious insiders, accidental human error, system failures, partner/vendor risks.
3. Catalog potential impacts: Physical harm, financial loss, discrimination, reputational damage, loss of confidentiality, loss of autonomy.
4. Assess likelihood: Consider existing controls, historical incidents, threat intelligence, and the attractiveness of the data.
5. Rate severity: Consider the number of affected individuals, the sensitivity of data, and the reversibility of the impact.

Risk Scoring: Impact vs. Likelihood

Use a risk matrix combining likelihood (rare, unlikely, possible, likely, almost certain) and impact (negligible, minor, moderate, significant, severe) to produce a risk score:

• Low risk: Standard controls sufficient. Document and proceed.
• Medium risk: Enhanced controls recommended. Document justification.
• High risk: Significant mitigation required before processing. Consider alternatives.
• Critical risk: Do not proceed without substantial changes. Consider prior consultation with the supervisory authority (Article 36).

Common High-Risk Activities

• AI/ML model training on personal data: Risk of bias, discrimination, and opaque decision-making. The Cisco 2026 study found 23% of organizations lack an AI governance committee.
• Employee monitoring: Keystroke logging, email scanning, location tracking of employees.
• Large-scale profiling: Customer segmentation based on behavior, health risk scoring, credit scoring.
• Biometric processing: Facial recognition, fingerprint scanning, voice recognition for authentication.
• Children's data processing: Any processing of data from individuals under 16 (or 13 in some Member States).
• Cross-border transfers: Sending personal data to countries without adequate data protection laws.

Mitigation Strategies

Technical Measures

• Encryption: At rest and in transit for all personal data.
• Pseudonymization: Replace identifiers with tokens to reduce re-identification risk.
• Access controls: Role-based access with least privilege principle.
• Data minimization: Collect only the data strictly necessary for the purpose.
• Automated deletion: Enforce retention periods through automated data lifecycle management.

Organizational Measures

• Training: Regular privacy awareness training for all staff handling personal data.
• Policies: Clear data handling policies with enforcement mechanisms.
• Incident response: Documented and tested breach response procedures.
• Vendor management: Data processing agreements with all third parties and regular audits.

Residual Risk and Prior Consultation

After applying mitigations, reassess the risk. If residual risk remains high despite all reasonable measures, GDPR Article 36 requires prior consultation with your supervisory authority before processing begins. The authority has 8 weeks (extendable to 14) to provide written advice.

Jerisaliant's risk scoring engine automates risk calculation, suggests contextual mitigations, and flags when prior consultation may be required.