Contact us


Data Protection Impact Assessment (DPIA)

Is your company planning to start a new personal data processing operation? Maybe you have a new CRM system, a case management system or an Electronic Patient Record (EPD) which processes numerous special categories of personal data. Or are you about to update or modify an existing process which will change some aspects of your data processing? If so, then you may have to carry out a Data Protection Impact Assessment (DPIA). In Dutch, this is called a gegevensbeschermingseffectbeoordeling, or GEB for short. Please note that this requirement also applies to old processes for which a DPIA has never been carried out.


What exactly is a DPIA?

A DPIA is a risk analysis of the effects of a new or modified personal data processing operation on the relevant data subject. Examples of these include the implementation of a project (like a new customer information IT system), an exchange of personal data with other companies, or a new or different analysis or profiling of personal data. You carry out a DPIA before you start your new processing operation, or when a process is about to undergo a change.

You must also periodically review your DPIA and modify it where necessary. The purpose of a DPIA is for you to make an early assessment of the risks to the rights and freedoms of the relevant data subjects and to obtain clarity on the measures that can mitigate these risks.


When do you need to do a DPIA?

A DPIA is mandatory when the processing you intend to carry out poses high risks to the rights and freedoms of the relevant data subjects. Examples include automated decision-making, large-scale processing of special categories of personal data, camera surveillance and employee monitoring.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has a list of 17 processing operations for which a DPIA is always mandatory. You can find this list here. Even if a DPIA is not a legal requirement, it may be advisable to do one anyway. In fact, a good DPIA will ensure that you meet the data processing requirements of the General Data Protection Regulation (GDPR). It will also offer practical measures and guidance for your company to consider when processing personal data.

How can we help you with a DPIA?

We would be happy to carry out a DPIA for you, or to help your company do its own DPIA. We will then be able to customise our own effective method to your purposes and embed it in your company’s processes.

Would you or your colleagues like to carry out a DPIA or learn how to do so? In that case, you might be interested in a DPIA workshop. During our workshop, we will explain the whys and wherefores of a DPIA and provide hands-on guidance on how to do one.

We are Cuccibu

Interested or have any questions?

Please feel free to contact us! We would be happy to help you find the solution that best suits your company’s needs.

"*" indicates required fields

Jouw naam en e-mailadres gebruiken wij alleen voor het door jou gevraagde contact. Wil je meer lezen over hoe Cuccibu omgaat met persoonsgegevens? Lees dan hier onze privacy- en cookieverklaring.
This field is for validation purposes and should be left unchanged.

“We believe that you create added value through secure and responsible digitisation. This leads to opportunities for individuals, companies and society as a whole.”