Always have this information at hand from now on? Download a (printable) PDF version here.
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a tool that, prior to processing personal data, can be used to identify privacy risks of a data processing operation. This allows an organization to take appropriate measures to reduce privacy risks.
DPIA and the AVG
A DPIA(1), also known as data protection impact assessment, is also an important tool for organizations to be able to demonstrate compliance with the obligations of the General Data Protection Regulation (AVG).(2) In this regard, it is important that when conducting a DPIA, the methodology followed and the results are recorded in a document. This allows organizations to demonstrate that they have conducted a proper DPIA carried out, if, for example, the Personal Data Authority (AP) so requests.
In the AVG, the DPIA is included in Article 35 "Data Protection Impact Assessment. Such privacy risk assessments are not new. Even under the AVG's predecessor, the Data Protection Act (Wbp), privacy-conscious organizations conducted risk analyses on their (key) processes.
What is the function of a DPIA?
An organization normally wants and must have insight into the (privacy) risks of processes in which data are processed. This is necessary to protect the (privacy) interests of those involved (clients, customers, patients, citizens, students, employees, etc.). But also to safeguard their own interests. Think of reputation damage, or damage to relationships with partners due to privacy breaches. This insight is only obtained through an inventory and risk analysis of those processes. That is the function of a DPIA. It gives you insight and grip on the privacy risks of those involved and the organization in those processes.(3)
When to conduct a DPIA? Mandatory in case of high risk processing
Under the AVG, but also under the Police Data Act (Wpg) and the Judicial and Criminal Records Act (Wjsg), organizations may be required to conduct a DPIA. For processes with high privacy risks for data subjects, conducting a DPIA is not a choice but a legal obligation. Failure to comply with the DPIA obligation can result in a fine from the AP of up to 10 million euros or up to 2% of the total global annual turnover of the previous financial year, whichever is higher. In the AP's fining policy rules, the basic fine for failing to conduct a DPIA (even though it is mandatory) is €310,000.(4)
The following steps can be used to determine whether a DPIA is required:
Step 1: article 35 paragraph 3 AVG
Step 3: The European Data Protection Board list (formerly WP29/248).
Further learning
Get hands-on with DPIAs? Check out our (online) learning offerings:
Handbook of DPIAs, available in our bookshop
E-learning DPIA (receive the DPIA handbook for free), see course agenda
Practice day DPIA (receive the DPIAs handbook for free), see course agenda
The DPIA Handbook is also available digitally when purchasing a Data&Privacyweb PRO membership. This gives you access to all Data&Privacyweb digital books and case law.
With the Data&Privacyweb Expert membership you get access to the digital version of the Handbook DPIA and to the E-learning DPIA. You can then also attend the practical day for free.
Footnotes
(1) See also the WP29 WP 248 guidance dated April 4, 2017 (and last amended and adopted on October 4, 2017), page 4: "A data protection impact assessment is a process designed to describe the processing of personal data, assess its necessity and proportionality, and help manage the associated risks to the rights and freedoms of natural persons by estimating these risks and identifying measures to address them. Data protection impact assessments are important accountability tools because they help controllers not only comply with the requirements of the AVG, but also demonstrate that appropriate measures have been taken to ensure compliance with the regulation (see also Article 24 AVG)."
(2) An important distinction between the AVG and the expired Personal Data Protection Act (Wbp), is the obligation to document or the obligation to demonstrate: see Article 5(2) and Article 24 AVG. This concerns 'compliance' regarding the processing of personal data. In addition, the mandatory PDCA cycle (Plan, Do, Check, Act) applies: organizations will have to be able to demonstrate continuously that they comply with the obligations of the AVG. So it is not a one-time implementation.
(3) Recital 84 of the AVG states that the controller or processor is responsible for carrying out a DPIA to assess, in particular, the origin, nature, specificity and seriousness of the risks. The result of the assessment should be taken into account when determining appropriate measures. In this way, compliance with the AVG can be demonstrated in the processing of personal data.
(4) See: policies dated February 19, 2019.
