Performing a data protection impact assessment (DPIA)

Do you use, collect, or share personal data of your customers? And is there a significant risk to privacy? Then, as a result of the General Data Protection Regulation (GDPR, Algemene Verordening Gegevensbescherming, AVG), you must first perform a data protection impact assessment (DPIA).

What is a DPIA?

A DPIA is an assessment of what the impact on privacy is and where these risk factors may occur when processing personal data. A DPIA will also show you what measures you should take to prevent or minimise the risk of a privacy breach. You must carry out a DPIA before you start using, collecting, or sharing personal data.

A DPIA is a continuous process. This means you have to keep monitoring the data processing in your organisation. If there are changes you may need to adjust your DPIA. For instance, if you start using new methods or technology for data processing or you want to use the data for other purposes, you may need to carry out a DPIA again.

Do the results of the DPIA show that there is a high risk? And are you unable to prevent or minimise this risk? In this case you have to consult the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) before continuing.

Is a DPIA mandatory?

According to the European rules a DPIA is required whenever processing personal data is likely to result in a high risk to the privacy rights of the persons involved. European data protection authorities have drawn up a guideline including 9 criteria. You should perform a DPIA if 2 or more of these criteria apply:

• You use personal data for evaluation or scoring, including profiling and predicting. For example, a bank that screens its customers against a credit reference database. Or if you draw up profiles of people using data on their interests and preferences, health, or location.
• You make decisions based on automated processes. This applies to processing with significant effects such as exclusion or discrimination.
• You regularly collect personal data on a large scale through a systematic monitoring of a publicly accessible area. For example, through camera surveillance without people knowing what the images will be used for or by whom.
• You process highly personal and sensitive data. These could, for instance, be data on political or religious preferences, but also medical records and criminal or financial data.
• You process personal data on a large scale for a longer period of time.
• You combine 2 or more different datasets (for instance that were intended for different purposes or collected by different operators).
• You use data of vulnerable individuals such as children, employees or patients.
• You make use of new and innovative technologies or solutions of which the social consequences are not yet known.
• You process personal data in such a way that that a person cannot use a service, enter into a contract or exercise a right. An example of this is when a bank checks a credit reference database to determine if they will offer a customer a loan.

The Dutch Data Protection Authority has a list of situations where a DPIA is mandatory (in Dutch).

Requirements for a DPIA

It is up to you how you carry out a DPIA, but you must comply with a number of requirements:

• You describe the personal data you will process, for what purpose you will use these, and why you do this.
• You assess the necessity of using personal data to reach your goal.
• You assess if the breach of privacy is proportionate to reaching your objective.
• You assess the privacy risks.
• You decide on which measures you will take to minimise or prevent privacy risks.
• You decide which measures you will put in place to comply with the GDPR (AVG).

Data Protection Officer, DPO (Functionaris voor de gegevensbescherming, FG)

It depends on your company’s activities if you need to appoint a Data Protection Officer (DPO, or FG in Dutch). Public administrations must always have a DPO. The DPO monitors if your organisation complies with the GDPR (AVG). You must register your organisation’s DPO with the Dutch Data Protection Authority (in Dutch).