The Commission shall, in making regulations or issuing directives under subsection (2), have regard to the —

(a) risk of significant harm that may be caused to a data subject or a class of data subjects by the processing of such category of personal data;

(b) reasonable expectation of confidentiality attached to such category of personal data; and

(c) adequacy of protection afforded to personal data generally.