This article is related to:

Performing a data protection impact assessment (DPIA)

This information is provided by

Netherlands Enterprise Agency, RVO

Do you use, collect or share personal data of you customers? And is there a significant risk to privacy? Then you must, according to the General Data Protection Regulation (GDPR, Algemene Verordening Gegevensbescherming, AVG), first perform a data protection impact assessment (DPIA).

What is a DPIA?

A DPIA is an assessment of what the impact on privacy is and where these risk factors may occur when processing personal data. A DPIA will also show you what measures you should take to minimise or prevent the risk of a privacy breach. You must carry out a DPIA before you start using, collecting or sharing personal data.

A DPIA is a continuous process. This means you have to keep monitoring the data processing in your organisation. If there are changes you may need or adjust your DPIA. If for instance, you start using new methods or technology for data processing or you want to use the data for other purposes, you may need to carry out a DPIA anew.

Do the results of the DPIA show that there is a high risk? And are you unable to prevent or minimise this risk? In this case you have the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) perform a prior consultation).

Is a DPIA mandatory?

According to the European rules a DPIA is required whenever processing personal data is likely to result in a high risk to the privacy rights of the persons involved. European data protection authorities have drawn up a guideline including 9 criteria. You should perform a DPIA if 2 or more of these criteria apply:

  • You use personal data for evaluation or scoring, including profiling and predicting. For instance a bank that screens its customers against a credit reference database. Or if you draw up profiles of people using data on their interests and preferences, health or location.
  • You make decisions based on automated processes. This applies to processing with significant effects such as exclusion or discrimination.
  • You regularly collect personal data on a large scale through a systematic monitoring of a publicly accessible area. For example through camera surveillance without people knowing what the images will be used for or by whom.
  • You process highly personal and sensitive data. These could for instance be data on political or religious preferences, but also medical records and criminal or financial data.
  • You process personal data on a large scale during an longer period of time.
  • You combine 2 or more different datasets (for instance that were intended for different purposes or collected by different operators).
  • You use data of vulnerable individuals such as children, employees or patients.
  • You make use of new and innovative technologies or solutions of which the social consequences are as yet unknown.
  • You process personal data in such a way that that a person cannot use a service, enter into a contract or exercise a right. An example of this is when a bank checks a credit reference database to determine if they will offer a customer a loan.

Requirements for a DPIA

It is up to you how you carry out a data protection impact assessment, but you must comply with a number of requirements:

  • You describe the personal data you will process, for what purpose you will use these and why you do this.
  • You assess the necessity of using personal data to reach your objective.
  • You assess if the breach of privacy is proportionate to reaching your objective.
  • You assess the privacy risks.
  • You decide on which measures you will take to minimise or prevent privacy risks.
  • You decide which measures you will put in place to comply with the GDPR (AVG).

Data Protection Officer, DPO (Functionaris voor de gegevensbescherming, FG)

It depends on your company’s activities if you need to appoint a Data Protection Officer (DPO, or FG in Dutch). Public administrations must always have a DPO. The DPO monitors if your organisation complies with the GDPR (AVG). You must register your organisation’s DPO with the Dutch Data Protection Authority (in Dutch).

This article is related to:

This information is provided by

Netherlands Enterprise Agency, RVO