On 5th November 2019, FRC member, Sergi Vazquez Maymir, together with the d.pia.lab, published a 2nd policy brief on methods for impact assessment, entitled Towards a Method for Data Protection Impact Assessment: Making Sense of GDPR Requirements’
Abstract: This policy brief lays the foundations for a method for data protection impact assessment (DPIA) in the European Union (EU). First, as a prerequisite, it proposes a generic method for impact assessment, which is intended to be used – when tailored to the particular context – in multiple domains of practice, such as environment, technology development or regulation (Section 2). Next, building on this generic method and interpreting the requirements of the General Data Protection Regulation (GDPR), this policy brief lays the foundations for a specific method for the process of DPIA in the EU, which is also intended to be adapted to the context of use (Section 3). In particular, the policy brief aims to clarify two crucial aspects of this specific method, which have thus far proved to be the most contentious. These aspects are the appraisal techniques (that is, the necessity and proportionality assessment, and risk appraisal), and stakeholder involvement (including public participation) in decision-making. Section 4 summarises the findings and calls for further guidance, clarification and tailoring down. This policy brief is addressed predominantly to policy-makers who develop methods for impact assessment, practitioners who tailor these methods to the context in which they are used and assessors who conduct the assessment process in accordance with these methods.