Data Protection Impact Assessment (DPIA)
Home » The GDPR » Main Tools and Actions » Data Protection Impact Assessment (DPIA)

Bud P. Bruegger (ULD)

The final version of this document was validated by Hans Graux,  guest lecturer on ICT and privacy protection law at the Tilburg Institute for Law, Technology, and Society (TILT) and at the AP Hogeschool Antwerpen. President of the Vlaamse Toezichtscommissie (Flemish Supervisory Committee), which supervises data protection compliance within Flemish public sector bodies.

 

In certain cases, the GDPR requires controllers to carry out a Data Protection Impact Assessment (DPIA). The following describes this concept by answering some key questions, namely:

 

The answers are predominantly based either on the GDPR itself and the guidelines provided by the Article 29 Data Protection Working Party on the topic (wp248rev.01)[1] that has been formally endorsed[2] by the European Data Protection Board[3].

 

Checklist
  • Verify whether you need to conduct a DPIA for your processing activity.
    • See In what cases must I carry out a DPIA? below.
  • Document this verification (no matter whether it was affirmative or not).

If a DPIA is necessary:

  • Start as early as possible (following the principle of Data Protection by Design).
    • See At what point in time does the DPIA need to be carried out/updated below.
  • Get an overview of what a DPIA is. See below:
    • What is a DPIA
    • What are the purposes of a DPIA
    • What is the intended audience of a DPIA report
    • Who is responsible for carrying out a DPIA 
    • What happens if I do not carry it out
  • Use the guidance and templates provided by the competent Data Protection Supervisory Authority (DPA) where possible.
  • If not (your DPA does not provide such material or you have to cater to many areas of competence of different DPAs), follow the guidance provided by the Article 29 Working party in wp248rev.01.
    • See Further Reading below.
    • See Is there a standardized method for carrying out a DPIA for an overview and help in interpreting WP248rev.01.
  • Assemble the team necessary to conduct the DPIA.
    • See Who should be involved in carrying out a DPIA below.
  • Consider ways of facilitating your work.
    • See What can facilitate carrying out a DPIA below.
Dos
  • Start working on the DPIA as early as possible.
  • Emphasize and document the (continuous) process, not just the result (report).
  • Use the DPIA as a decision tool for yourself.
  • Involve the DPO and all other mandatory parties.
  • Focus on technical and organizational measures that lower the risks to an acceptable level.
  • Implement a schedule to revise and update the DPIA when required
DON’Ts
  • Don’t confuse the DPIA with IT security risk management.
  • Don’t consider the risks to your organization and its assets; consider the risks to data subjects and other natural persons who are affected by your processing.
  • Don’t understand risk as an undesirable event (such as an attack or a natural disaster); consider your processing as the source of risk, even if everything goes as planned.
Further Reading

  • Guidance and Templates possibly provided by your competent Data Protection Supervisory Authority who is the main audience of the DPIA. (What exactly is available depends on where you are located)
  • WP248rev.01, ARTICLE 29 DATA PROTECTION WORKING PARTY, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017, As last Revised and Adopted on 4 October 2017, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 (last visited 14/01/2020).

 

 

References


1wp248rev.01, ARTICLE 29 DATA PROTECTION WORKING PARTY, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017, As last Revised and Adopted on 4 October 2017, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 (last visited 14/01/2020).

2Endorsement of GDPR WP29 guidelines by the EDPB, https://edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_en, Brussels, 25 May 2018, Bullet point 6.

3https://edpb.europa.eu/

Skip to content