Skip to main content

Public consultation on the draft d.pia.lab policy brief #3: a proposal for a template for a report from the DPIA process

  • June 30, 2020

The Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab), part of VUB-LSTS, seeks feedback on its draft policy brief #3, concerning a template for a report from the process of data protection impact assessment (DPIA), as required by the General Data Protection Regulation (GDPR) in the European Union (EU).

In particular, the Laboratory seeks feedback on a number of crucial aspects of the assessment process that have proven thus far the most contentious or difficult, namely: appraisal techniques (i.e. the necessity and proportionality assessment, and risk assessment), stakeholder involvement (public consultation), as well as the efficiency of conducting the assessment process (e.g. adherence to the legal design approach). The draft policy brief is available here (PDF 391 KB) and comments are welcome by e-mail at dpialab@vub.ac.be until 14 July 2020.

Abstract: This policy brief proposes a template for a report from the process of data protection impact assessment (DPIA) in the European Union (EU). Grounded in the previously elaborated framework (cf. Policy Brief 1/2017) and method for impact assessment (cf. Policy Brief 1/2019), the proposed template conforms to the requirements of Articles 35-36 of the General Data Protection Regulation (GDPR) and reflects best practice for impact assessment. Adhering to the legal design approach, the proposed template guides the assessor, in a practical way, throughout the 11-Step assessment process, providing necessary explanations for each Step, while being structured in modifiable tables and fields to fill in. It aims at comprehensiveness and requires justification for each choice, hence going beyond a mere ‘tick-box’ exercise and fostering fundamental rights thinking. The proposed template is addressed predominantly to assessors entrusted by data controllers to perform the assessment process, yet it may also assist data protection authorities (DPA) in the EU to develop (tailored down) templates for DPIA for their own jurisdictions.