Abstract

The risk-based approach was introduced to the GDPR in order to apply a proportional level of protection in individual cases. The reform of the provisions on personal data protection was to ensure technological neutrality of the adopted legal act. The article discusses two main issues:1) How does the risk-based approach operate in practice and does it meet the expectations?2) What solutions currently functioning in the market may facilitate application of the risk-based approach?The author formulates postulates for the future regarding the risk-based approach, such as:1) Updating and clarifying the EDPB guidelines on the risk-based approach, risk analysis, data protection impact assessment and accountability principle to facilitate the performance of these tasks and to ensure a certain level of regulatory security, in particular for SMEs,2) Putting emphasis on the creation of the codes of conduct for individual sectors, which will enable application of the risk-based approach, taking into account the specificity of an industry and the scale of data processing,3) Establishing certification mechanisms as well as data protection seals and marks to prove the processing operations carried out by administrators and processors, taking into account the needs of SMEs, are in compliance with the GDPR.