Authors: Kloza, Dariusz; Calvi, Alessandra; Casiraghi, Simone; Vazquez Maymir, Sergi; Ioannidis, Nikolaos; Tanas, Alessia; Van Dijk, Niels
Vrije Universiteit Brussel’s Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab) developed a template for a report from the process of data protection impact assessment (DPIA) that conforms to the requirements of Articles 35–36 of the EU General Data Protection Regulation (GDPR) and reflects best practices for impact assessment. The template is available in both readable and editable formats.
For this resource, the d.pia.lab defines impact assessment as an evaluation technique used to analyze the possible consequences of an initiative for relevant societal concerns, to determine whether this initiative could present danger to these societal concerns, with a view to supporting an informed decision on whether to deploy the initiative and under what conditions, and constitutes a means by which to protect those societal concerns.
The template forms part of the architecture of impact assessment, which typically consists also of a framework, method and template. To that end, the d.pia.lab has developed:
- A framework that constitutes an "essential supporting structure" or organizational arrangement for something, which defines and describes the conditions and principles of impact assessment.
- A method that is a "particular procedure for accomplishing or approaching something." It organizes the practice of impact assessment and defines the consecutive or iterative steps to be undertaken in order to carry out the assessment process. A method corresponds to a framework and can be seen as a practical reflection of it.
- Finally, a template that is a practical aid for the assessor. It takes the form of a schema to be completed following the given method. It structures the assessment process, guides the assessor through the process, and serves as a final report from the process. It documents all the activities undertaken within a given assessment process, clarifies the extent of compliance with the law, and provides evidence as to the quality of the assessment process.
The said template puts forth five novel aspects:
- First, it aims at comprehensiveness to arrive at the most robust advice for decision-making.
- Second, it aims at efficiency, that is, to produce effects with the least use of resources.
- Third, it aims at exploring and accommodating the perspectives of various stakeholders, although the perspective of individuals dominates; it, therefore, fosters fundamental rights thinking by, for example, requiring justification for each choice, hence going beyond a mere ‘tick-box’ exercise.
- Fourth, it aims at adhering to the legal design approach to guide the assessors in a practical, easy and intuitive manner throughout the 11-step assessment process, providing necessary explanations for each step, while being structured in expandable and modifiable tables and fields to fill in.
- Fifth, it assumes its lack of finality as it will need to be revised as experience with its use grows.
As this architecture for impact assessment constantly evolves, d.pia.lab welcomes feedback at dpialab@vub.ac.be and/or at @dpialab.