Data protection impact assessment (DPIA)

Does an organisation intend to process personal data, but is that likely to entail a high privacy risk? In that case, the organisation is obliged to carry out a data protection impact assessment (DPIA) first. A DPIA is an instrument for mapping the privacy risks of a data processing operation beforehand. To ensure that the organisation can take measures to mitigate these risks.

The obligation to carry out a DPIA has been set out in the:

  • General Data Protection Regulation (GDPR);
  • Dutch Police Data Act (Wpol);
  • Dutch Judicial Data and Criminal Records Act (Wjsg).
     

In the (original) Dutch version of these Acts, the DPIA is called a 'gegevensbeschermingseffectbeoordeling' (GEB).
 

On this page

When must a DPIA be carried out?

As an organisation, you have to decide for yourself if your data processing operation entails a high privacy risk. And if you therefore have to carry out a DPIA. The following criteria can help you determine this:

  • What the General Data Protection Regulation (GDPR) says about when you have to carry out a DPIA.
  • The list of the Dutch Data Protection Authority (Dutch DPA) with types of processing operations for which you must carry out a DPIA.
  • The 9 criteria for a DPIA of the European data protection agencies.
     

DPIA according to the GDPR

The GDPR states that you must in any case carry out a DPIA if as an organisation you:

  • Systematically and comprehensively assess personal aspects of people. You do this on the basis of automated personal data processing, including profiling. And you base decisions on this that have consequences for people. For example, that they cannot take out a loan. An example of this is credit scoring.
  • Process special personal data on a large scale.
  • Process criminal data.
  • Systematically and on a large scale track people in a publicly accessible area. For example with camera surveillance.

DPIA list of the Dutch DPA

In addition, the Dutch DPA has drawn up a list of types of processing operations for which carrying out a DPIA is mandatory before you start processing.

Note:
 

  • The DPIA list is not exhaustive. It is possible that your processing operation is not on this list. You will have to assess for yourself then if your processing operation entails a high risk for the people whose data you want to process.
  • The terms 'large-scale' and 'systematic' are used in the list. The EU data protection agencies have given further substance to the term 'large-scale', but not (yet) to the term 'systematic'. This relates to processing operations that take place according to a specific system, such as a processing operation that has been embedded in the systems or in the policy of an organisation. Processing operations that take place ad hoc or incidentally are not systematic processing operations.
  • This list has been coordinated at EU level. The EU data protection agencies check periodically whether the list requires adjustment.
  • Your processing operation must comply with the GDPR at all times. If your intended processing operation is on this list, you will always have to check whether you have a valid legal basis for it. If you do not have this, you are not allowed to process the personal data. Regardless of the outcomes of any DPIA.

The 9 criteria of supervisors for DPIA

Is your processing operation not on the DPIA list and do you have to assess yourself whether you have to carry out a DPIA? Then you can use the 9 criteria for a DPIA that were drawn up by the EU data protection agencies.

As a rule of thumb, you will have to carry out a DPIA if your processing meets two or more of these criteria.

Note: The 9 criteria are a guide for assessing whether you must carry out a DPIA. Even if you meet none or only one of these criteria, you must be able to substantiate properly why you choose not to carry out a DPIA. This is part of your duty of accountability.

1. Assessing people on the basis of personal characteristics

This concerns, among other things, profiling and making forecasts. In particular on the basis of characteristics such as someone's professional performances, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

Examples of these include:

  • a bank determining the creditworthiness of customers (credit scoring);
  • a company providing DNA testing to consumers to assess health risks;
  • a company tracking visitors to its website and using that information to create profiles of these people.

2.  Automated decisions

This concerns decisions that have legal consequences or comparable significant consequences for people, such as being excluded or discriminated against. Decisions without (major) consequences do not fall under this criterion. For more information, see the Guidelines on automated decision-making and profiling of the EDPB.

3. Systematic and large-scale monitoring

This concerns monitoring of publicly accessible areas, for example with camera surveillance. In the process, personal data may be collected without people knowing who collects their data and what then happens with them. Furthermore, it may be impossible for people to avoid this data processing in public spaces.

4. Sensitive data

This concerns:

  • special categories of personal data;
  • criminal data;
  • data that is generally considered privacy-sensitive.

5. Large-scale data processing operations

The GDPR does not give a definition of 'large-scale data processing operations'. The European data protection agencies have given further substance to the term large-scale.

6. Linked databases

This concerns data collections that have been linked to each other or combined with each other. For example, databases arising from two or more data processing operations with different purposes and/or performed by different organisations, in a manner that people cannot reasonably expect.

7. Data on vulnerable persons

When processing this type of data, a DPIA may be necessary because the balance of power between the data subject and the controller is unequal. Because of this imbalance, data subjects cannot freely give or refuse consent for processing their data. Examples are employees, children and patients.

8. Use of new technologies

The GDPR states very clearly that a DPIA may be required when a new technology is used, because this may entail new ways of collecting and using data with possibly significant privacy risks. The personal and social consequences of the use of a new technology may even still be unknown. A DPIA will then help you understand and eliminate the risks.

Some Internet of Things applications, for example, may have a significant impact on the daily lives and the privacy of people. That is why a DPIA is necessary in this case.

9. Blocking of a right, service or contract

This concerns data processing operations as a result of which people:

  • cannot exercise a right;
  • cannot use a service;
  • cannot conclude a contract.

For example, a bank that processes personal data to determine whether someone will get a loan.

Tip: The EDPB's Data Protection Guide for SMEs provides a useful interactive flowchart to help you determine whether a DPIA is needed.

No DPIA needed

You do not have to carry out a DPIA if your data processing:

  • Is not likely to entail a high privacy risk.
  • Looks very similar to another data processing operation for which a DPIA has already been carried out.
  • Is regulated by another European or national law. And a DPIA had already been carried out when this law came into force. Unless the data protection agency thinks that a DPIA is nevertheless necessary.
  • Is on a list of processing operations for which a DPIA is not mandatory. The GDPR gives the data protection agency the option to draw up such a list, but this is not mandatory. The Dutch DPA has not drawn up a list.

Carrying out a DPIA

There are various methods of carrying out a DPIA. You can choose one yourself, as long as you meet the basic requirements as described in the GDPR. Those basic requirements entail that you must include at least the following in your DPIA:

  • A systematic description of the data processing operation you intend to carry out and the purposes of this processing operation. Do you rely on a legitimate interest as a legal basis for the processing operation? Include that in the description as well.
  • An assessment of the necessity and proportionality of the processing operation.
  • An assessment of the privacy risks for the people whose data you want to process.
  • The envisaged measures for (1) addressing the risks (such as safeguards and security measures) and (2) demonstrating that you comply with the GDPR.

Note: In any case, your intended data processing operation must be lawful.

Estimating residual risks

When assessing privacy risks, you have to estimate the presence of high residual risks. This concerns serious situations that, despite your precautions, may still occur. In this context, make sure you pay attention in your DPIA to at least the following points:

  • Indicate which high privacy risks you cannot completely prevent.
  • State specifically in which situations or for which parts there is a high residual risk.
  • Indicate how likely it is, according to you, that the situation described will occur, despite the precautions taken by you.
  • Describe which damage arises or may arise for the persons whose personal data you process.

Start the DPIA as early as possible

Start the DPIA during the design stage of the data processing operation as early as practically possible. Even if not all the details of the processing are yet known. By starting early, it will be easier for you to meet the mandatory principles of privacy by design and privacy by default.

Note: The fact that you may have to adjust the DPIA along the way is not an argument for postponing or not carrying out the DPIA. Carrying out a DPIA is not a one-off assignment, but a continuous process. You will always have to monitor – and keep monitoring – whether your data processing changes and whether you have to adjust the DPIA as a result.

Outsourcing the DPIA

As a controller, you have to ensure that a DPIA is carried out. You do not have to carry out the DPIA yourself. You can also ask someone else, within or outside your organisation, to do this, such as a specialised agency. You remain ultimately responsible, however.

Asking for advice on a DPIA

Depending on your specific situation, you have to seek advice about your DPIA from these parties:

  • the Data Protection Officer (DPO);
  • the processor;
  • the data subjects;
  • other parties.

Advice from the DPO

Has your organisation appointed a Data Protection Officer (DPO)? Then you are obliged to ask the DPO for advice. You have to include in the report on the DPIA what the DPO advised and what you have done with that. The DPO is also tasked with overseeing the performance of the DPIA.

It is advisable to ask the DPO for advice on:

  • the process of deciding whether or not to carry out a DPIA;
  • the investigation method that is suitable to the DPIA;
  • the question of whether you, as the organisation, carry out the DPIA yourself or engage a specialised agency for that purpose;
  • the safeguards required for mitigating the privacy risks;
  • the question of whether the outcomes of the DPIA are in accordance with the law.

Advice from the processor

Will a processor perform data processing on your behalf? Then the processor has to support you in carrying out the DPIA. And provide you with the information you need.

Advice from the data subjects

Where necessary, you have to ask the data subjects or their representatives for their opinion. There are several suitable ways in which you can do this. These depend on your specific situation. For example:

  • conducting an internal or external investigation;
  • consulting consumer or employee organisations;
  • sending a questionnaire to your future customers.

Does your final decision deviate from the opinion of the data subjects? Then you have to document the reasons for continuing or not continuing the processing operation. You also have to document your argumentation if you think that it is not necessary to ask the data subjects for their opinion.

Advice from other parties

Finally, it is recommended that you establish and document which other parties you can involve in a DPIA in your specific situation. And what their responsibilities will be in that case. For example, the IT department, other departments and independent experts, such as lawyers, technicians, security experts, sociologists, etc.

After the DPIA

Now you have insight into the privacy risks and the measures you have to take to cover these risks. It is then up to you to actually implement those measures.

Prior consultation

Unless you have estimated in your DPIA that there are residual risks. In that case, you have to consult with the Dutch DPA before starting the processing. This is called prior consultation.

Publishing the DPIA

You are not required by law to publish your DPIA. But this is recommended. It may enhance the confidence in your data processing operations. Besides, you prove that you are accountable and transparent. This particularly applies if the processing impacts the general public, as is the case when the government is involved.

The DPIA that you publish does not have to contain the entire assessment. There may be information that you do not want to disclose, such as information about security risks or competitively sensitive information. You can then limit yourself to a summary of the most important results of the DPIA.

New DPIA in the event of changes

In the case of changes, a new DPIA is necessary. Carrying out a DPIA is not a one-off assignment, but a continuous process. That is why you always have to keep monitoring if there are any changes in:

  • your data processing;
  • the risks of the processing;
  • the context of the processing.

Because of these changes, it is in any case advisable to carry out a DPIA periodically. Even if the data processing itself has not changed. For example, once every three years.

This also applies to existing processing operations for which you have not carried out a DPIA earlier. If something changes, you may be obliged to carry out a DPIA.

Changes in data processing

Your processing changes, for example, when you are going to use a new technology. Or when you are going to use personal data for a different purpose. In these situations, your data processing actually changes into a new data processing. And a DPIA may be mandatory then.

Changes in the risks of processing

Does the privacy risk of your processing change? Then you may also be obliged to carry out a DPIA. Risks can change, for example, because a part of the processing process changes. Technological developments are moving fast. This could create new vulnerabilities.

Changes in the context of processing

Finally, you may be obliged to carry out a DPIA because the organisational or social context changes. For example, because the consequences of certain automated decisions have become more important. Or because new categories of people become vulnerable to discrimination.

Because of these changes, it is recommended that you carry out a DPIA periodically. Even if the data processing itself has not changed. For example, once every three years.

Current