Towards a method for data protection impact assessment: Making sense of GDPR requirements

Research output: Contribution to specialist/vulgarizing publicationArticleSpecialist

1798 Downloads (Pure)


This policy brief lays the foundations for a method for data protection impact assessment (DPIA) in the European Union (EU). First, as a prerequisite, it proposes a generic method for impact assessment, which is intended to be used – when tailored to the particular context – in multiple domains of practice, such as environment, technology development or regulation (Section 2). Next, building on this generic method and interpreting the requirements of the General Data Protection Regulation (GDPR), this policy brief lays the foundations for a specific method for the process of DPIA in the EU, which is also intended to be adapted to the context of use (Section 3). In particular, the policy brief aims to clarify two crucial aspects of this specific method, which have thus far proved to be the most contentious. These aspects are the appraisal techniques (that is, the necessity and proportionality assessment, and risk appraisal), and stakeholder involvement (including public participation) in decision-making. Section 4 summarises the findings and calls for further guidance, clarification and tailoring down. This policy brief is addressed predominantly to policy-makers who develop methods for impact assessment, practitioners who tailor these methods to the context in which they are used and assessors who conduct the assessment process in accordance with these methods
Original languageEnglish
Number of pages8
Specialist publicationd.pia.lab Policy Brief
Publication statusPublished - 5 Nov 2019


  • data protection impact assessment
  • DPIA
  • privacy impact assessment
  • PIA
  • GDPR
  • data protection
  • privacy
  • risk
  • risk to a right
  • stakeholder involvement
  • public participation
  • method
  • Impact assessment
  • environmental impact assessment
  • EIA
  • technology assessment
  • European Union
  • EU
  • data protection authorities
  • DPA
  • data protection officer
  • DPO


Dive into the research topics of 'Towards a method for data protection impact assessment: Making sense of GDPR requirements'. Together they form a unique fingerprint.

Cite this