What is the target audience of the EDPB’s DPIA template? Most who *need* to carry out DPIAs more often have their own templates/tools since 5-10 years. And does it anticipate the Digital Omnibus? Only in part, with the biggest work yet to come. Some comments:
1. On the issue of DPIA requirement screening, its section on “Reasons to conduct the DPIA” [page 5] is misleading as it suggests that a DPIA is required even if just *one* of the Article 29 Working Party’s DPIA criteria applies (while it’s actually *two* or more according to those 2017 Guidelines).
2. Even if no DPIA is required, some documentation is still useful – what I like to call a “mini-DPIA”. This is obviously *NOT* the EDPB’s intent, yet it can still be useful to fill in at least some of the more essential fields as part of project preparation. It could have been good to highlight which fields are useful to *all* projects in the EDPB’s view, also given that some projects evolve over time.
3. I know it’s a much more significant effort, but it would have in my view been better to first work on harmonising DPIA requirements. That would have been truly worthwhile, no matter what happens to the Digital Omnibus.
While the Digital Omnibus on GDPR does mention a template, the essential focus is simplifying the process of determining when one is needed across various countries – and when not. And the EDPB welcomed this!
I once led the mapping of *over 250* DPIA-required scenarios across 22 countries, and I ended up with 14 essential criteria (more than the WP29’s 9) to cover those national requirements.
Why not work on that?
4. In general, the template feels like a non-operational compliance document.
It features a section on “Measures supporting compliance with principles in Article 5(1)(a-f) GDPR” that basically lists the GDPR’s data protection principles, without giving any indication of what they mean in practice. Right to rectification and right to erasure are listed together in the following section, despite very different operational concerns on how to manage those two rights. Data protection by design and by default are similarly mixed in a same section, but without any guidance.
So again: what is the target audience of this template?
In most organisations I know, compliance & privacy teams try to involve operational teams in a DPIA process. If the aim is a startup with little data protection experience, this template needs more hand-holding. If the aim is a larger organisation, this template needs more operational guidance included.
I appreciate the effort – I do! And I recommend that anyone carrying out DPIAs takes a look to double-check that their own templates/… cover all points the EDPB lists in this document.
Still, I think that a lot of additional work is needed before this can become truly useful in the field – and that it would be even better to focus first on harmonising DPIA requirements as such.
Perhaps they need to first look at those 250+ scenarios!
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗