There are several methods for conducting a DPIA. You can choose one, as long as you meet the basic requirements outlined in the AVG. Those basic requirements are that you must include at least the following in your DPIA:
A systematic description of the data processing you intend and its purposes. Do you invoke a legitimate interest as the basis for the processing? If so, include this in the description as well.
An assessment of the necessity and proportionality of the processing.
An assessment of the privacy risks to the people whose data you want to process.
The intended measures to (1) address the risks (such as safeguards and security measures) and (2) demonstrate your compliance with the AVG.
When assessing privacy risks, you must assess whether there are high residual risks. These are serious situations that could still happen despite your precautions. In doing so, pay attention to at least the following points in your DPIA:
Indicate which high privacy risks you cannot completely avoid.
Specifically state in which situations or components there is a high residual risk.
Indicate how likely it seems to you that the described situation will occur despite the measures you take.
Describe what harm then occurs or may occur to the individuals whose personal data you process.
Start the DPIA in the design phase of the data processing, as early as practically possible. Even if all the details of the processing are not yet known. Starting early makes it easier for you to comply with the legally required principles of privacy by design and privacy by default.
As a data controller, you must ensure that a DPIA is conducted. You do not have to conduct the DPIA yourself. You can also have it done by someone else within or outside your organization. For example, by a specialized agency. However, you remain ultimately responsible.
Source: https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/praktisch-avg/data-protection-impact-assessment-dpia , accessed April 18, 2024.
