Skip to content

Want to have a Data Protection Impact Assessment carried out?

In the Dutch text of the European General Data Protection Regulation (GDPR), we refer to data protection impact assessment in Articles 35 and 36 GDPR. Many indicate this assessment with Data Protection Impact Assessment, the English designation or only with the abbreviation DPIA.

The results of a DPIA expose the protection risks of personal data. It happens that protection measures when processing personal data are not appropriate and or ineffective. Companies use the compliance “tool” DPIA to assess existing and new processing of personal data.

The management can also have a DPIA carried out on policy making and the realization of the policy goals. The supervisor expects the management to carry out DPIAs on certain processing operations of personal data and that the DPIAs carried out are updated periodically (at least 1x every 3 years).

Wat is de motivatie?

The European legislator asks for DPIAs to be carried out for specific processing of personal data. The European supervisors have elaborated in guidelines their expectations for which processing operations DPIAs are necessary and how such an assessment study should be structured. The Dutch supervisory authority, the Dutch Data Protection Authority (AP), writes extensively about this on its website. In the Government Gazette, the DPA publishes a list of processing operations for which a DPIA is mandatory .

Performing DPIAs can also be commercially motivated. Having knowledge of the risks of not effectively protecting (personal) data leads to liability and cost risks that eventually occur.

The scope and scope of a DPIA investigation approach can broaden the scope to include corporate data, in particular trade secrets. When organizing the business compliance function, we establish a relationship between the compliance approach and the DPIA research approach. As a result, the added value for the periodic organization of DPIAs is also an extension of organizing the compliance function. In short, the results of DPIAs lead to:

  • More effective organization of business activities; and
  • Mitigating liability and cost risks.

What is our approach?

Verschillende toezichthouders, zoals de AP, verenigingen van beroepsbeoefenaren zoals de NOREA, en opleidingsinstituten, zoals de Duthler Academy (DPIA theoretisch en praktisch kader) geven handreikingen en trainingen voor het uitvoeren van DPIA’s. Op hoofdlijnen kunnen wij een DPIA als volgt inrichten:

  1. The intake, the analysis of the object of investigation and the identification of risks: The management periodically, in consultation with the data protection officer and the management, initiates the objectives of the DPIA investigations aimed at assessing, in particular, the effective protection of personal data. The object of research often relates to the management and security measures that have been or must be included in business processes or processing of personal data. The processing operations are often part of a complex of business processes. Exploring the inherent, internal control and investigation risks of processing puts the research in a clear business perspective.
  2. Consulting the key employees: The process descriptions, the impact of the evidence of effective operation of the control measures and the overview of the incidents and data breaches provide a basis for the investigation. This, in conjunction with the results of the consultation of the key employees, creates a picture of the maturity of effectively protecting personal data.
  3. Baseline testing: Management can embrace a set of standards and baselines – as part of its policy – for organizing business activities. Requirements from relevant legislation are often included in the baselines.
  4. Documenting findings and reporting: During a DPIA study, the researchers systematically record their findings. Careful research is characterized by coordinating records of conversations with employees and making research steps reproducible. It is about giving the employees involved insights into why and how business activities can be better organized. The process of performing a DPIA is often more important than the outcomes. The purpose of the DPIA determines the form of the report. An accessible report of findings and recommendations is often sufficient.

What is the relationship with compliance and what are the areas of research?

A compliance approach or taking measures of administrative organization and internal control are about organizing business activities using business processes in which the measures are included. The DPIA focuses on establishing that the control measures have worked effectively.

Do you have any questions or would you like to make an appointment?

Heeft u een DPIA nodig of een vraag over DPIA? Of heeft u een andere vraag? Neem gerust contact met ons op. Onze professionals staan u graag te woord.