Residual Risk

The risk that remains after an organization implements security controls and mitigation measures to address identified privacy and data protection threats. No security measure eliminates all risk—even with encryption, access controls, and monitoring, some vulnerability persists due to human error, unknown threats, or practical limitations. Residual risk assessment involves identifying initial risks, implementing controls, evaluating control effectiveness, and determining acceptable remaining risk levels. Organizations must decide whether residual risks are acceptable or require additional measures. Under GDPR Article 32, companies should implement security 'appropriate to the risk,' meaning some residual risk may be acceptable if additional controls are impractical or disproportionately expensive. Data Protection Impact Assessments should document residual risks and justify acceptance decisions. Risk acceptance should be formal, documented, and periodically reviewed as threats evolve. When residual risks are unacceptable, organizations should implement additional controls, redesign processes, or reconsider whether the processing is necessary.