1 The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. 2 Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.
This recital of the General Data Protection Regulation clarifies article 24 GDPR (Responsibility of the controller) and article 32 GDPR (Security of processing).*