Changes require a new DPIA. Conducting a DPIA is not a one-time task, but a continuous process. Therefore, you should always continue to monitor for changes in:
your data processing;
the risks of processing;
the context of processing.
Because of these changes, it is advisable to conduct a DPIA periodically anyway. Even if the data processing itself has not changed. For example, once every 3 years.
This also applies to existing processing operations for which you have not previously conducted a DPIA. If something changes, you may still be required to conduct a DPIA.
Changes in data processing
Your processing changes, for example, if you start using a new technology. Or if you start using personal data for a different purpose. In these situations, your data processing actually changes into a new data processing operation. And then a DPIA may be required.
Changes in processing risks.
Does the privacy risk of your processing change? If so, you may also be required to conduct a DPIA. Risks may change, for example, because an element of the processing process changes. Technological developments are moving fast. As a result, new vulnerabilities may arise.
Changes in the context of processing
Finally, you may be required to conduct a DPIA because the context of your organization or the social context changes. For example, because the consequences of certain automated decisions have become more important. Or because new categories of people become vulnerable to discrimination.
Because of these changes, it is advisable to conduct a DPIA periodically. Even if the data processing itself has not changed. For example, once every 3 years.
Source: https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/praktisch-avg/data-protection-impact-assessment-dpia#na-de-dpia , accessed January 27, 2025.
