A Data Protection Impact Assessment (DPIA) Tool for Practical Use in Companies and Public Administration

In May 2018, the European General Data Protection Regulation (GDPR) enters into force. In certain cases, the GDPR requires companies and public authorities to carry out data protection impact assessments (DPIA; Datenschutz-Folgenabschätzung in German, or DSFA for short). The aim of a DPIA is to identify and assess risks that may arise for users as a result of data processing, in such a way that typical attacks by organisations and external parties can be contained through adequate countermeasures. However, the GDPR gives little advice on how to carry out a DPIA in practice.

The aim of the project is to validate and refine a process for implementing a DPIA (Figure below) in co-operation with actors from business and public administration. The resulting process should be suitable for different technologies and data processing techniques, useful for actors from both the public and private sector, equally applicable to institutions of different sizes and, finally, satisfy the legal requirements of the GDPR.