A DPIA

What’s the use of a DPIA, how much time does it take and how do you conduct one?

 

How do you, as a researcher, know whether you have taken all possible measures to protect the personal data in your study? By using a Data Protection Impact Assessment (DPIA). The Dutch name of the DPIA is 'gegevensbeschermings-effectbeoordeling'.

 

A DPIA can best be compared to traffic lights. It contains a series of questions that show at which points in your study the light is green, orange or red in terms of handling personal data.


Why?

Within the GDPR, a DPIA serves as a risk assessment. It is a structured way of identifying risks with regard to the handling of personal data within a study. Answering all of the questions in the DPIA together with a privacy expert in your organisation will give you an overview of the potential risks, allowing you to take effective measures early on to save yourself a lot of time, and prevent the risk of data breaches, later on in your study.

How?

Always conduct a DPIA when you have outlined the study. Complete the questionnaire together with a privacy expert within the organisation. This usually takes sixty to ninety minutes. The questionnaire will result in a risk assessment that will usually constitute the basis for adjusting parts of your research plan. Another DPIA might need to be performed to check your adjusted research proposal for risks.

The framework of the process is as follows:

Example

As mentioned above, a DPIA is a questionnaire. If you would like to see the questions covered in a DPIA, view an example here. Note: the questionnaire used by your organisation may differ from this example. Contact your internal privacy expert for the DPIA used by your organisation.