Data Protection Impact Assessment (DPIA)

A DPIA is a risk-inventory assessment (in Dutch: gegevensbeschermingseffectbeoordeling or GBEB). A DPIA is sometimes recommended and in some situations it is required by law (GDPR Art. 35). This is the case when there is a possibility of a high risk to the ‘rights and freedoms’ of data subjects. According to the GDPR, such a ‘high risk’ is considered to be present if:

• you are making automated, impactful decisions regarding people based on personal data, including processes such as profiling, or
• you are processing special categories of personal data or criminal data on a large scale, or
• you observe people in public spaces on a large scale (such as with the use of security cameras).

The Dutch Personal Data Authority and the European Data Protection Board have compiled their own lists of criteria to help organisations determine whether a DPIA is required. At the Humanities faculty, we first consider whether the risks involved might be more than minimal. If this is the case, a privacy scan is performed in order to assess whether there might be high risks. Only if the latter is the case, a DPIA will be performed.

The DPIA will be performed by a multi-disciplinary team, coordinated by a privacy officer. It is not a document, but a process.