Question 24
UnclassifiedWhich scenario most strongly suggests a need for a formal risk assessment?
Correct answer: B
Explanation
A formal risk assessment is needed when processing is likely to create high risk, especially for “profiling” and decisions with legal or similarly significant effects. Using “precise geolocation and third-party data to make eligibility decisions” combines sensitive tracking with automated decision-making, which strongly indicates elevated privacy and fairness risks.
Why each option is right or wrong
A. A team updates a logo on the company homepage
B. A product begins profiling users with precise geolocation and third-party data to make eligibility decisions
Article 35(1) GDPR requires a Data Protection Impact Assessment where processing is likely to result in a high risk to individuals, and Article 35(3)(a) specifically flags systematic and extensive evaluation of personal aspects based on automated processing, including profiling, that produces legal effects or similarly significant effects. Using precise geolocation together with third-party data to determine eligibility is exactly the kind of high-risk, large-scale decisioning that triggers this threshold, because it combines location tracking with automated assessment of access or entitlement.
C. An office changes its printer vendor
D. A department renames an internal folder