We decide not to store personal data: is it threat or risk avoidance?

Short answer: you avoid the risk, not the threat. Threats exist. Risks are choices.

Threats still exist

• external threats (hackers, insiders, mistakes, malware) still exist
• you haven’t eliminated attackers or human error
• you’ve simply removed the thing they could harm

So the threat remains, but:

• No data → no vulnerability → no impact → no risk

If we remove the threat of data exposure, a leak, from our catalogs, then next time we will have personal data we might miss it.

 

This maps cleanly to common frameworks (ISO 27001, NIST):

Risk treatment options

• avoid – eliminate the risk by removing the activity → don’t collect the data,
• mitigate – reduce likelihood or impact → encryption, access controls,
• transfer – shift impact → insurance, contracts,
• accept – knowingly live with it.

Notice:

Only risks are avoided, mitigated, transferred, or accepted — not threats.