FSBS Privacy & Data Management

Data Protection Impact Assessment

DPIA

A Data Protection Impact Assessment (DPIA) is a risk-inventory assessment of your project. You can read more about what a DPIA entails on this knowledge base article. While it is always advisable to perform a DPIA (or an equivalent analysis) when you are working with personal data, it is sometimes mandatory – mainly when there is a possibility of a high risk to the privacy of data subjects.

Privacy scan

In order to assess whether such a potential risk exists, you can go through a privacy scan. This template will ask you to fill in the relevant information related to the processing of personal identifying information in your project. Together with the faculty privacy officer, you will assess whether a more detailed DPIA is warranted.

Before contacting the privacy officer, you can already start by downloading the template and gathering the required information to fill it in.

  • Administrative Information – Details like the name of the project, contact information of the individuals responsible for the project, etc.
  1. Description of the Project’s Purpose – The privacy scan starts with a brief description of the project’s purpose, and a description of the activities that involve the use of personal data. With this explanation, it will be clear that the activities are necessary to reach the purpose.
  2. Description of Data Subjects – This step asks for a detailed description of the people behind the data (the data subjects) – How they are selected, how many people are involved, is there a relationship between data subjects and the people responsible for the project.
  3. Description of the Categories and Purposes of Personal Data – This step asks for a detailed description of the types of data collected from data subjects – and for each data type, a justification is provided. It should be clear how each type of data processed by the project is clearly necessary to reach the purpose.
  4. Description of the Processing of Personal Data – This step asks for a detailed description of how data is processed: where it is coming from, how and where it is being stored and analyzed, who has data access and for what reasons, and for how long data is retained. Privacy enhancing technologies and data minimization measures are described in this step. It should be clear that the principles of data protection by design and by default have been applied appropriately.
  5. Description of Information Provided to Data Subjects – This step asks for a detailed description of how and what information is provided to data subjects – information must be provided in a timely, accessible, clear and understandable manner, using different channels and at different layers if necessary.
  6. Description of How Data Subjects Can Exercise Their Data Subject Rights – This step asks how people can exercise their rights – it should be clear that they are able to exert appropriate control on how their data is processed.
  7. Description of Lawful Basis for Processing – This step asks for a detailed description of the legal basis behind the processing – the legal reason why this process is lawful under the GDPR. It should be clear that the requirements of the chosen lawful basis – consent, legitimate interest, etc. – have been properly met
  8. Description of Measures to Ensure Compliance By Processors and/or Joint Controllers – If the project involves working with others outside the UU – other researchers, or service providers – this step asks for a description of how they will comply with the GPDR. For example, by using data processing agreements (DPA) or joint controllers agreements.
  9. Description of Planned Transfers of Personal Data to Other Countries Outside the EU – If personal data is transferred outside the EU, this step asks for a detailed description of how these transfers are allowed under the GDPR.
  10. Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing – Consulting data subjects to obtain their views on the processing empowers them to exert control on the process during the design stage, and how their feedback is incorporated into the project’s design. Consulting data subjects is intended to be an instrument of transparency, and an assessment of whether the necessity and proportionality of the processing is justified in the eyes of data subjects.
  11. Preliminary Risk Assessment – This step aims to identify possible adverse effects – damages – that processing might have on data subjects, and to describe the (legal, technical and organizational) safeguards that will manage (reduce, eliminate or accept) these potential risks.