Want to have a Data Protection Impact Assessment carried out?
In the Dutch text of the European General Data Protection Regulation (GDPR), we refer to data protection impact assessment in Articles 35 and 36 GDPR. Many indicate this assessment with Data Protection Impact Assessment, the English designation or only with the abbreviation DPIA.
The results of a DPIA expose the protection risks of personal data. It happens that protection measures when processing personal data are not appropriate and or ineffective. Companies use the compliance “tool” DPIA to assess existing and new processing of personal data.
The management can also have a DPIA carried out on policy making and the realization of the policy goals. The supervisor expects the management to carry out DPIAs on certain processing operations of personal data and that the DPIAs carried out are updated periodically (at least 1x every 3 years).
What is the motivation?
The European legislator asks for DPIAs to be carried out for specific processing of personal data. The European supervisors have elaborated in guidelines their expectations for which processing operations DPIAs are necessary and how such an assessment study should be structured. The Dutch supervisory authority, the Dutch Data Protection Authority (AP), writes extensively about this on its website. In the Government Gazette, the DPA publishes a list of processing operations for which a DPIA is mandatory .
Performing DPIAs can also be commercially motivated. Having knowledge of the risks of not effectively protecting (personal) data leads to liability and cost risks that eventually occur. The scope and scale of a DPIA research approach can broaden leadership to adequately protect business data, especially trade secrets, or adequately apply artificial intelligence (AI). We establish a relationship between compliance approach and DPIA research approach when organising the corporate compliance function. As a result, the added value for the periodic organization of DPIAs is also an extension of organizing the compliance function. In short, the results of DPIAs lead to:
- More effective organization of business activities; and
- Mitigating liability and cost risks.
What is our approach?
Various regulators, such as the AP, associations of practitioners such as (Dutch) NOREA (see: DPIA handbook on which we collaborated), and training institutes, such as the Duthler Academy (see DPIA theoretical and practical framework) provide handbooks and training on how to conduct DPIAs. In general, we can set up a DPIA as follows:
- Intake, analysing the object of investigation and identifying risks: Company management, in consultation with the data protection officer and management, periodically initiates the objectives of DPIA investigations aimed at assessing, in particular, the effective protection of personal data. The object of research often relates to the management and security measures that have been or must be included in business processes or processing of personal data. The processing operations are often part of a complex of business processes. Exploring the inherent, internal control and investigation risks of processing puts the research in a clear business perspective.
- Consulting the key employees: The process descriptions, the impact of the evidence of effective operation of the control measures and the overview of the incidents and data breaches provide a basis for the investigation. This, in conjunction with the results of the consultation of the key employees, creates a picture of the maturity of effectively protecting personal data.
- Baseline testing: Management can embrace a set of standards and baselines – as part of its policy – for organizing business activities. Requirements from relevant legislation are often included in the baselines.
- Documenting findings: During a DPIA study, investigators systematically document their findings. Careful research is characterized by coordinating records of conversations with employees and making research steps reproducible. It is about giving the employees involved insights into why and how business activities can be better organized. The process of conducting a DPIA is often more important than the outcomes.
- Reporting: The purpose of the DPIA determines the form of reporting. An accessible report of findings and recommendations is often sufficient.
- Awareness and training programme: Depending on the scope and scope of the DPIA, it may be necessary or desirable for employees and management involved in the investigation to gain knowledge. Duthler Associates, in collaboration with the Academy, has awareness and training programmes that can be deployed (company-specific).
- Tooling: Preparing, conducting, recording findings and determining the impact of a DPIA supports Duthler Associates with tooling.
What is the relationship with compliance and what are the areas of research?
A compliance approach or taking measures of administrative organization and internal control are about organizing business activities using business processes in which the measures are included. The DPIA focuses on establishing that the control measures have worked effectively.
DPIAs conducted
Duthler Associates’ professionals in collaboration with concerned employees of companies and institutions have carried out a range of DPIAs. We give an impression of the scope and coverage.
- Compile data protection review framework and assess the extent to which business activities are adequately organised with business processes and supporting IT systems.
- For a primary process, assess the capacity of a new supporting IT system to adequately and effectively protect personal data.
- Determine the maturity level of privacy protection, propose management security and compliance measures and set up risk management.
- Examine the impact of IT systems and the management and security measures contained therein on the privacy risks for data subjects.
- Compile and implement a data protection code of conduct for partners sharing (personal) data.
Conducting DPIAs is easier if the parties involved have awareness of the importance of data protection and knowledge of the risks to the data subject and the company of inadequate measures.
Latest new
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.