Bud P. Bruegger (ULD)
The final version of this document was validated by Hans Graux, guest lecturer on ICT and privacy protection law at the Tilburg Institute for Law, Technology, and Society (TILT) and at the AP Hogeschool Antwerpen. President of the Vlaamse Toezichtscommissie (Flemish Supervisory Committee), which supervises data protection compliance within Flemish public sector bodies.
In certain cases, the GDPR requires controllers to carry out a Data Protection Impact Assessment (DPIA). The following describes this concept by answering some key questions, namely:
- What is a DPIA?
- What are the purposes of a DPIA?
- What is the intended audience of a DPIA report?
- How is a DPIA different from a security assessment?
- Who is responsible for carrying out a DPIA? Who should be involved in carrying out a DPIA?
- In what cases must I carry out a DPIA? Are there lists of processing activities that require a DPIA?
- At what point in time does the DPIA need to be carried out/updated
- Is there a standardized method for carrying out a DPIA? Are there outlines, templates or tools in support of carrying out a DPIA?
- What can facilitate carrying out a DPIA?
- What happens if I do not carry it out? What are the possible consequences?
The answers are predominantly based either on the GDPR itself and the guidelines provided by the Article 29 Data Protection Working Party on the topic (wp248rev.01) that has been formally endorsed by the European Data Protection Board.
If a DPIA is necessary:
1wp248rev.01, ARTICLE 29 DATA PROTECTION WORKING PARTY, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017, As last Revised and Adopted on 4 October 2017, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 (last visited 14/01/2020). ↑
2Endorsement of GDPR WP29 guidelines by the EDPB, https://edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_en, Brussels, 25 May 2018, Bullet point 6. ↑