Data Protection Impact Assessment (DPIA)
Investigating privacy in the context of the General Data Protection Regulation (GDPR)
With the introduction of the GDPR in 2017, privacy investigations have been made mandatory. These have a basic form, but are produced under different names. In the Dutch version of the GDPR, such an investigation is called a Gegevensbeschermingseffectbeoordeling (GEB), while the names Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are also used.
Work program
Various versions of the work program are available in the Netherlands, namely the ‘Model gegevensbeschermingseffectbeoordeling rijksdienst (PIA)’ of the Ministry BZK, the ‘NOREA Guide to Privacy Control Framework’ and the ‘NOREA PIA’.
Noordbeek has developed its own work program and reporting method, primarily based on the model of the Ministry of the Interior and Kingdom Relations, and where necessary supplemented with points for attention from NOREA.
Competence and experience
Noordbeek has carried out many DPIAs within the (semi) government and private organizations. This is always done in a pragmatic manner, whereby concrete advice is also given in case of any identified risks. We deploy experienced IT auditors in this area, supplemented with legal competences.
ISO 27701 certification
Our services for certification against the ISO / IEC 27701: 2019 ‘Security techniques - Extension to ISO / IEC 27001 and 27002 for privacy information management - Requirements and guidelines’ have been placed with Noordbeek Certification.
Data Protection Impact Assessment (DPIA)
With a full DPIA, it is tested whether the processing of personal data meets the requirements of the GDPR. The scope and object of the investigation is determined in consultation with the organization. The analysis can be performed on the entire organization, a business process, an application or a project. Among other things, the legal basis for processing, notification obligation, right of inspection, data minimization, deletion periods and agreements with any processors are examined. The result of a DPIA is a report of findings to what extent the organization meets the predetermined requirements.
Privacy scan
A privacy scan has a less formal character. If an organization does not yet have a clear picture of which areas there are privacy risks and needs help with the security of this data, you can decide to have a privacy scan performed. To this end, it is checked for the entire organization where personal data is stored, processed and distributed, and whether the legal requirements are met. For each collection of personal data, it is made clear what the risks are of theft, loss or misuse and what the possible impact is for the organization. It is also investigated to what extent the risks are mitigated by measures and whether there are residual risks. If this is the case, a proposal is made for mitigating measures.