The Hellenic Data Protection Authority launched, in December 2024, the implementation of the project entitled “Driven by risk: Fostering data protection risk assessment for SMEs and raising risk awareness among the general public (byRisk)”, following the successful submission of a proposal to the European Commission (https://byrisk-project.eu/). It is noted that the project is implemented under the coordination of the Authority and in cooperation with the University of Piraeus and the Greek ICT company Abovo, and is co-funded at a rate of 90% by the European Commission.[1]
The project has two main objectives:
- To provide practical support to small and medium-sized enterprises (SMEs), acting as “data controllers”, through the development and provision of a tool for assessing the risks associated with the personal data processing activities they carry out.
- To ensure appropriate information and awareness-raising for all interested parties (the general public, ICT professionals and students), also through the development and provision of a tool for information and risk awareness related to common data processing activities carried out by a wide range of data controllers.
For the development of these tools, a needs assessment was conducted, along with the analysis and definition of relevant data protection requirements arising from the applicable national and European legal and regulatory framework. With the aid of a dedicated questionnaire, the relevant needs of SMEs regarding the risk assessment of data processing activities were identified, and the corresponding requirements were analysed and specified. SMEs operating in the sectors of tourism, education, retail trade, catering, healthcare and information technology services were approached, mainly through their professional associations.
Within this framework, the following tools are being developed:
• Risk Assessment Tool for Small and Medium-sized Enterprises: the individual software components, databases and user interfaces implementing the tool’s functionalities have already been developed, while testing is underway to verify and validate its accuracy, reliability and usability. The tool is expected to be completed and launched in pilot operation by March 2026.
• Data Protection Risk Awareness Tool: its development was based on a platform created within a previous project of the Authority, which initially supported multilingual questionnaires and document generation. For the purposes of the current project, the platform was extended to incorporate a structured risk modelling framework, including conceptual entities, mappings between entities and the mechanisms required to derive risk-related conclusions. The tool provides both an end-user interface and an administrative interface, delivered as web applications, and has been developed as a full JavaScript application.
To disseminate the project results, a series of actions has been designed and is being implemented, including the development of a dedicated project website, the publication of press releases, newsletters, leaflets and articles in the media. In addition, the organisation of an international conference is planned for October 2026, aiming to promote the sustainability of the project results. Representatives of peer supervisory authorities from EU Member States and of the European Data Protection Supervisor, the European Commission, as well as academic experts and researchers in the field of data protection, are expected to participate in the conference.
[1] The byRisk project is funded by the European Union’s Citizens, Equality, Rights and Values (CERV) Programme and is coordinated by the Hellenic Data Protection Authority. The views and opinions expressed are those of the project partners only and do not necessarily reflect those of the European Union or the European Commission. Neither the European Union nor the granting authority can be held responsible for them.
