What if the main data protection vulnerability is risk management? Data Protection merges three disciplines: data protection law, information security, and risk management. Nonetheless, very little research has been made on the field of data protection risk management, where subjectivity and superficiality are the dominant state of the art. Since the GDPR tells you what to do, but not how to do it, the solution for approaching GDPR compliance is still a gray zone, where the trend is using the rule of thumb. Considering that the most important goal of risk management is to reduce uncertainty in order to take informed decisions, risk management for the protection of the rights and freedoms of the data subjects cannot be disconnected from the impact materialization that data controllers and processors need to assess. This paper proposes a quantitative approach to data protection risk-based compliance from a data controllers perspective, with the aim of proposing a mindset change, where data protection impact assessments can be improved by using data protection analytics, quantitative risk analysis, and calibrating expert opinions.

翻译：如果数据保护的主要脆弱性在于风险管理呢？数据保护融合了三个学科：数据保护法、信息安全与风险管理。然而，在数据保护风险管理领域，主观性与表面性仍是主流研究现状，相关研究甚少。由于《通用数据保护条例》（GDPR）仅规定了应做之事，而未详述具体实施方法，因此实现GDPR合规的解决方案仍处于灰色地带，当前趋势多依赖经验法则。鉴于风险管理的首要目标是通过降低不确定性以做出明智决策，保护数据主体权利与自由的风险管理，必须与数据控制者和处理者所需评估的影响实现过程紧密关联。本文从数据控制者的视角，提出一种基于风险的数据保护合规量化方法，旨在推动思维模式的转变，即通过运用数据保护分析、定量风险分析及校准专家意见，来改进数据保护影响评估。