Inherent vs Residual Risk
Inherent vs Residual Risk
The two scores a GDPR risk assessment records — before controls and after — why both matter, and when high residual risk triggers Article 36.
Inherent risk is the likelihood and severity of harm to individuals before any controls are applied; residual risk is what remains after the planned technical and organisational measures. A GDPR risk assessment records both because a single score hides the one thing a regulator wants to see — whether a high-risk activity has actually been brought under control, or simply written down. This guide defines each, explains why both belong on the record, and shows how the residual rating decides whether processing can proceed.
Key takeaways
- Inherent risk is the exposure before controls; residual risk is what is left after them.
- The gap between the two is the value of the controls — recording only one figure hides it.
- Both are scored as likelihood × severity, and under Article 35(7) the residual rating is a reasoned decision, not a number a tool generates on its own.
- If high residual risk remains after mitigation, Article 36 may require prior consultation with the DPC or ICO before processing begins.
What is inherent risk?
Inherent risk is the level of risk to individuals' rights and freedoms beforeany safeguards are taken into account — the raw likelihood and severity of harm from a processing activity as if no controls were in place. It is the baseline a privacy team is trying to reduce, and it is what a DPIA assesses first under GDPR Article 35(7)(c): an assessment of the risks to the rights and freedoms of data subjects, established before the mitigating measures are weighed.
What is residual risk?
Residual risk is what remains afterthe planned technical and organisational controls are applied. It is the figure that actually decides whether processing can proceed. Under Article 35(7)(d) a DPIA must set out the measures envisaged to address the risks, and the residual rating is the reasoned judgement of what is left once those measures are in place — recorded with the evidence behind it, not asserted. Where the residual level is still high, Article 36 prior consultation with the supervisory authority is the next step.
Why record both?
The gap between inherent and residual risk is the value the controls deliver. A register that records only one number cannot show whether a critical risk was genuinely mitigated or merely noted — and that is precisely the question a Data Protection Commission (DPC) or Information Commissioner's Office (ICO) review asks. Recording both, with the reasoning between them, is what makes the rating defensible.
| Inherent risk | Residual risk | |
|---|---|---|
| When measured | Before controls | After the planned controls |
| What it shows | The starting exposure being managed | Whether the remaining risk is acceptable |
| Decides | Whether the activity is high-risk at all | Whether processing can proceed, or escalates |
| GDPR anchor | Article 35(7)(c) — assessment of the risks | Article 35(7)(d) & Article 36 — measures and prior consultation |
How to score inherent and residual risk
Both are scored the same way — likelihood combined with severity of impact on individuals — usually on a matrix, but the score is a reasoned judgement, not a calculation a tool can own. Assess the inherent likelihood and severity first; then record the controls and re-assess to get the residual figure; then decide whether the residual level is acceptable, needs further mitigation, or triggers Article 36 prior consultation. The rating holds up under scrutiny only when it is recorded with the evidence and the reasoning behind it, which is why an automated score with no provenance is hard to defend. The fields a register uses to hold both scores are set out in the privacy risk register template, and the obligation behind the assessment is in the DPIA guide.
Common questions about inherent and residual risk
What is inherent risk?
Inherent risk is the level of risk to individuals' rights and freedoms before any controls are applied — the raw likelihood and severity of harm from a processing activity as if no safeguards were in place. It sets the baseline a privacy team is trying to bring down, and it is what a DPIA assesses first under GDPR Article 35(7)(c) before the mitigating measures are considered.
What is residual risk?
Residual risk is the level of risk that remains after the planned technical and organisational controls are applied. It is the figure that actually decides whether processing can proceed: under GDPR Article 35(7)(d) a DPIA must set out the measures envisaged to address the risks, and the residual rating is the reasoned judgement of what is left once those measures are in place. Where a high residual risk remains, Article 36 may require prior consultation with the supervisory authority before processing begins.
What is the difference between inherent and residual risk?
Inherent risk is measured before controls; residual risk is measured after them. The gap between the two is the value the controls deliver. Recording only one figure hides whether a high-risk activity has genuinely been brought under control or simply documented — which is why a defensible risk register and DPIA record both, with the residual rating as a reasoned decision supported by the evidence rather than a single number generated by a tool.
What happens if residual risk stays high after mitigation?
If, after the planned controls, the residual risk to individuals is still high, GDPR Article 36 requires the controller to consult the supervisory authority — the DPC in Ireland or the ICO in the UK — before starting the processing. In practice that means the DPIA conclusion and the residual rating need to be defensible and evidenced, because the regulator will look at how the risk was assessed and why the remaining level was judged acceptable or escalated. A register that records inherent and residual scores with their source makes that case; an opaque single score does not.
Primary sources
Related research
Privacy Risk Register Template
The fields a defensible register should contain — including the inherent and residual scores.
Read article →Privacy Risk Software Compared
The four types of privacy risk tool and the criteria to score them on.
Read article →DPIA Guide
When a DPIA is required under Article 35, and how it assesses and follows up risk.
Read article →