Performing a data protection impact assessment (DPIA)
Do you use, collect, or share personal data of your customers? And is there a significant risk to privacy? Then, as a result of the General Data Protection Regulation (GDPR, Algemene Verordening Gegevensbescherming, AVG), you must first perform a data protection impact assessment (DPIA).
What is a DPIA?
A DPIA is an assessment of what the impact on privacy is and where these risk factors may occur when processing personal data. A DPIA will also show you what measures you should take to prevent or minimise the risk of a privacy breach. You must carry out a DPIA before you start using, collecting, or sharing personal data.
Do the results of the DPIA show that there is a high risk? And are you unable to prevent or minimise this risk? In this case you have to consult the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) before continuing.
When is a DPIA mandatory?
According to the European rules a DPIA is only required whenever processing personal data is likely to result in a high risk to the privacy rights of the persons involved. It is up to you to decide whether this is the case. European data protection authorities have drawn up a guideline including 9 criteria. You should perform a DPIA if 2 or more of these criteria apply:
- You use personal data for evaluation or scoring, including profiling and predicting. For example, a bank that screens its customers against a credit reference database. Or if you draw up profiles of people using data on their interests and preferences, health, or location.
- You make decisions based on automated processes. This applies to processing with significant effects such as exclusion or discrimination.
- You regularly collect personal data on a large scale through a systematic monitoring of a publicly accessible area. For example, through camera surveillance without people knowing what the images will be used for or by whom.
- You process highly personal and sensitive data. These could, for instance, be data on political or religious preferences, but also medical records and criminal or financial data.
- You process personal data on a large scale for a longer period of time.
- You combine 2 or more different datasets (for instance that were intended for different purposes or collected by different operators).
- You use data of vulnerable individuals such as children, employees or patients.
- You make use of new and innovative technologies or solutions of which the social consequences are not yet known.
- You process personal data in such a way that that a person cannot use a service, enter into a contract or exercise a right. An example of this is when a bank checks a credit reference database to determine if they will offer a customer a loan.
You can also check with the Dutch Data Protection Authority (AP) in which situations a DPIA is mandatory.
Requirements for a DPIA
It is up to you how you carry out a DPIA, but you must comply with at least the requirements  of the Dutch DPA (AP). You describe, for example, the personal data you will process, for what purpose you will use these, and why you do this. And you make an assessment of the privacy risks and how you prevent or minimise these risks.
Conducting another DPIA
Sometimes you will need to conduct another DPIA. For example, if you are going to use the personal data for a different purpose, or if you are going to use a new technology.
Data Protection Officer, DPOÂ
It depends on your company’s activities if you need to appoint a Data Protection Officer (DPO, or Functionaris voor de gegevensbescherming, FG). The DPO monitors if your organisation complies with the GDPR (AVG). You must register your organisation’s DPO with the Dutch Data Protection Authority (in Dutch). Government agencies and public organisations must always have a DPO. This does not apply to courts.