Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is an instrument to identify and mitigate privacy risks associated with processing personal data in a project. Whereas a privacy scan is recommended for all projects processing personal data, a DPIA is required by the GDPR if your processing of personal data poses a high risk to the rights and freedoms of data subjects or others (art. 35). This can be the case, for example, when you process personal data from vulnerable groups such as children or patients, sensitive personal data, or a large amount of personal data (see also the risk assessment chapter).
A DPIA is very in-depth, and requires an official advice from the university’s Data Protection Officer (DPO). We strongly recommend contacting your privacy officer early on: they can best estimate whether a DPIA is necessary and to identify any approved DPIAs that may be useful for your project to reuse. And they have to be involved in performing the assessment anyway.
The process of performing a DPIA
- Contact your privacy officer as early as possible to assess the necessity to carry out a DPIA.
- Work together with your privacy officer, and possible other stakeholders like security officers, to assess your design and risks and complete the DPIA.
- When finished, the DPIA will be sent to the Data Protection Officer (DPO) for advice. Their considerations will also need to be documented.
- You may need to adjust your research design and update the DPIA accordingly.
- In case of a negative DPO advice, you should ask your head of department or faculty dean for permission to go ahead with your project.
- Regularly update the DPIA when there are changes in your research project.
- Retain the DPIA for as long as you retain personal data.
Examples and templates
An example case from Utrecht University about social safety in the Dutch House of Representatives is described on the UU intranet (privacy considerations) and on the UU website (news message).