The prominent position of risk in the GDPR has raised questions as to the meaning this concept should be given in the field of data protection. This article acknowledges the value of extracting information from the GDPR and using this information as means of interpretation of risk. The ‘role’ that risk holds in the GDPR as well as the ‘scope’ given to the concept, are both examined and provide the reader with valuable insight as to the legislature’s intentions with regard to the concept of risk. The article also underlines the importance of taking into account new technologies used in personal data processing operations. Technologies such as IoT, AI, algorithms, present characteristics (e.g. complexity, autonomy in behavior, processing and generation of vast amounts of personal data) that influence our understanding of risk in data protection in various ways.