Security of personal data processing is about individuals being able to trust that an organisation will handle their data fairly and responsibly. In the context of the European area, if an organisation carries out an operation (i.e. processing) involving information about individuals for any reason, it must comply with the General Data Protection Regulation. However, due to their complexity, traditional, information technology security approaches do not effectively reduce the security risk of the processing. This paper argues that we need to rethink our approach if we want to effectively address the problem of risk, and proposes an approach based on the concept of activity within activity theory, which has the necessary components to achieve a common goal within a context, in this case protection.