Law and Technology in Data Processing: Risk-Based Approach in EU Data Protection Law and Implementation Challenges in Croatia

Recently reformed EU personal data protection rules (General Data Protection Regulation) provide mechanisms to ensure that under strict legal responsibility risks inherent in modern data processing operations are appropriately and timely identified and managed. Analysis in the paper focuses on its risk-oriented rules aiming to ensure proper data security and data protection compliance from earliest data processing stages, and envisaged impact assessment procedure as an important tool toward identifying and mitigating risk in certain high-risked operations. Assessment of impacts that processing activities, as enabled by further technological advancements, may have on individuals' rights and freedoms requires continuous consideration, in particular as some possibly cannot yet be perceived and/or assessed whether in terms of nature or severity (scope). This adds to analysed open issues requiring further clarification in the area, in connection with initiatives towards the more specific, harmonized EU procedure. Examined risk assessment solutions currently envisaged under the Data Protection Directive, as implemented under Croatian law, and lacking local practice in the area point to likely local implementation challenges of the soon directly applicable, more comprehensive and strict new EU rules, as a result of which proposals are made toward urgent and intensive awareness-raising measures.