Gain insight into the bottlenecks and points for improvement?
In the Dutch text of the European General Data Protection Regulation (GDPR), we refer to data protection impact assessment in Articles 35 and 36 of the GDPR. Many indicate this assessment with DPIA.
The results of a DPIA expose the protection risks of personal data. It happens that protective measures when processing personal data are not appropriate or effective. Companies use the compliance “instrument” DPIA to assess existing and new processing of personal data.
The company management can also have a DPIA carried out on policy making and the realization of the policy goals. The supervisor expects the management to perform DPIAs on certain processing of personal data and that the performed DPIAs are updated periodically (at least once every 3 years).
How can we help you?
Do you have questions about organizing, implementing or expanding a Data Protection Impact Assessment? Our service owners are happy to discuss your needs, case and/or problem.
The European legislator calls for the performance of DPIAs for specific processing of personal data. The European supervisors have detailed their expectations in guidelines for which processing operations DPIAs are required and how such an assessment study should be structured. The Dutch supervisory authority, the Dutch Data Protection Authority (AP) writes extensively about this on its website. The AP publishes a list of processing operations for which a DPIA is required in the Government Gazette.
Carrying out DPIAs can also be commercially motivated. Knowledge of the risks of not effectively protecting (personal) data leads to liability and cost risks that eventually arise. The scope and scope of a DPIA investigative approach can extend the lead to corporate data, especially trade secrets. When organizing the business compliance function, we establish a relationship between the compliance approach and the DPIA investigation approach. As a result, the added value for the periodic organization of DPIAs is also an extension of the organization of the compliance function.
In short, the results of DPIAs lead to:
- More effective organization of business activities; and
- Limiting liability and cost risks.
Various regulators, such as the DPA, associations of professional practitioners such as NOREA (see DPIA guideline in which we have participated), and training institutes, such as the Duthler Academy (DPIA theoretical and practical framework) provide guidelines and training for conducting DPIAs.
In broad terms, we can set up a DPIA as follows:
- The intake, analysis of the subject matter and identification of risks: The company management periodically initiates, in consultation with the data protection officer and management, the objectives of the DPIA investigations aimed at assessing in particular the effective protection of personal data. The object of the investigation usually relates to the management and security measures that have been or must be included in business processes or processing of personal data. The processing operations are often part of a complex of business processes. Exploring the inherent internal control and investigation risks of the processing puts the investigation into a clear business perspective.
- Consulting the key employees: the process descriptions, the impact of the proof of effective operation of the control measures and the overview of the incidents and data leaks provide a basis for the investigation. This, in conjunction with the results of the consultation of key employees, creates a picture of the maturity of the effective protection of personal data.
- Checking against baselines: Business management can embrace a set of standards and baselines – as part of its policy – for organizing business activities. Requirements from relevant legislation are often included in the baselines. In this way, MYOBI has, for example, included relevant legislation in the field of the protection of personal data in the TTP policy, in particular the TTP Code of Conduct GDPR.
- Documenting findings and reporting: During a DPIA study, researchers systematically record their findings. Careful research is characterized by coordinating reports of conversations with employees and making research steps reproducible. The aim is to provide the employees involved with insights into why and how business activities can be better organized. The process of performing a DPIA is often more important than the outcomes. The purpose of the DPIA determines the form of the report. An accessible report of findings and recommendations is usually sufficient.
A compliance approach or taking measures of administrative organization and internal control is about organizing business activities with the help of business processes in which the measures are included. The DPIA focuses on establishing that the control measures have functioned effectively.