Data Protection Impact Assessment

A DPIA is a way of identifying risks and the impact on the data subjects involved when new projects are processing personal data. On the basis of the assessment, measures will have to be taken to prevent or minimise the negative impact on the data subjects.

A DPIA must be carried out before the project starts and as soon as the planning phase begins. In any case, it is necessary to take the findings of the DPIA into account when planning further in the project.

• Determining the impact on the data subjects, whose data you are going to process;
• Identifying and addressing privacy risks in the project;
• Include privacy protection measures in the design phase: Privacy-by-design and by-default.

• A description of the processing, the purpose of the processing and the legal basis for the processing;
• An assessment of the necessity and proportionality of the processing in relation to the purposes;
• A risk assessment, and
• A mitigating measures to be taken to limit the identified risks.

As the controller of the processing activity, TU Delft is responsible for carrying out the DPIA.

In practice, the implementation is carried out through mandate by the line managers of the directorates and faculties responsible for data processing activities.

• Make sure to integrate the findings and the recommendations of the DPIA when implementation of your project;
• Include the DPIA documentation in the GDPR registry;
• If you change the processing, or there is a change of risk in your project, please check if the processing is still in accordance with the DPIA. If not, reassess your DPIA;