The GDPR does pursue a risk-based approach [Tile PC.17]. However, this falls far short of the original idea. A true risk-based approach should reduce or even eliminate the controller's obligations for low-risk or risk-free data processing. By and large, however, the GDPR's risk-based approach only means that the technical and organisational measures that must be taken to comply with the numerous obligations depend on the risk. The obligations themselves are not minimized or reduced. And there are only two obligations that can be dispensed with entirely if the risk is low (Art. 30 V GDPR and Art. 33 I 1 GDPR).

Furthermore, the risk-based approach of the GDPR is hardly used by data protection supervisory authorities and data processors (for various reasons). 

In order to create legal certainty, low-risk data processing should be exempted from obligations on the basis of the opening clauses of the GDPR and data protection supervisory authorities should be encouraged to promote the use of data in the sense of the GDPR.