DPIA

How do you, as a researcher, know you have taken all possible measures to protect the personal data in your study? You use a Data Protection Impact Assessment (DPIA). In Dutch: a 'gegevensbeschermings-effectbeoordeling'.

A DPIA can best be compared to a traffic light. It contains a series of questions that show for which points in your study the light is green, yellow or red in respect of handling personal data. On this page we explain how it works.


Why?

In the GDPR, a DPIA serves as a risk assessment. It is a structured way to identify risks with regard to the handling of personal data in a study. Answering all of the questions in the DPIA together with a privacy expert in your organisation will give you an overview of the potential risks, so that you can take relevant measures in an early stage. This will save you a lot of time, and in particular prevents risks of data leaks, later on in your study.

How?

You always carry out a DPIA when the design of your study has been outlined. Together with a privacy expert (often a ‘data steward’) in the organisation, you go through the questionnaire. This will mostly take an hour to ninety minutes. The questionnaire will result in a risk analysis that may be the basis of adjustments of parts of your research plan. Subsequently another DPIA may be performed to check your adjusted research proposal for risks.

The framework of the process is as follows:

Example

As mentioned, a DPIA is a questionnaire. If you already want to have a look at the questions covered in a DPIA, view an example here. Please note: the questionnaire used by your organisation may differ from this one. Ask your internal privacy expert (often the ‘data steward’) about the DPIA used by your organisation.