The General Data Protection Regulation (EU) 679/2016 (‘GDPR’) will be, as of 25 May 2018, the main data protection legal framework in EU directly applicable to all Member States, repealing the current Data Protection Directive 95/46/EC. Currently, businesses in the EU have to deal with 28 different data protection laws. This fragmentation is a costly administrative burden that makes it harder for many companies, particularly SMEs, to access new markets. One of the core obligations for all businesses, including SMEs, acting either as data controllers or data processors, in GDPR is that of the security of personal data. In particular, according to GDPR security equally covers confidentiality, integrity and availability and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take (in order to manage the risk). Even if this risk-based approach is not a new concept only a few specific privacy risk assessment frameworks have been presented, focusing principally on the evaluation of risks to personal data and adoption of relevant security measures