This is one of the hardest areas to address, the areas and size of risk will vary for every organisation – this really needs to be evaluated by a proper Risk Assessment.
One thing to bear in mind is that the risk should be evaluated from the point of view of the individual and should be judged according to the size or scale of the risk to the individual.
The GDPR describes the risk areas but there is an element of judgement for each organisation. It is not as simple as measuring how many individuals’ data you process, but rather the type of data and extent of processing – all factors which affect the level of risk.
For example, if you are responsible for a small amount of personal data which could, if not properly managed, present a very serious potential impact on the individual, then the risk must be judged as high, and you must take appropriate steps to mitigate risks and safeguard the personal data.
This FAQ is in these categories: GDPR