The GDPR regulation requires a risk assessment for all processing activities in order to decide if a Data Protection Impact Analysis (DPIA) is necessary. This risk assessment is potentially based, among other things, on the score of the detailed qualification of the processing activity. Requirements for this qualification can vary from country to country. ARIS Accelerators for GDPR uses the Risk Management of ARIS Risk & Compliance Manager to assess the risk of each processing activity. ARIS Risk & Compliance Manager ensures the segregation of duties principle and offers an audit trail of any changes. It is a good advice to create a GDPR impact type (risk impact type) for such assessments in ARIS Risk & Compliance Manager. The impact type can be customized. For detailed information, refer to the ARIS Accelerators for GDPR Installation Guide.
The assessment of risks with the Risk Management of ARIS Risk & Compliance Manager is performed in two steps for each processing activity: