Friedewald, M. et al. White paper on data protection impact assessment: A tool for improved data protection

Recommended reading

Michael Friedewald, Hannah Obersteller, Maxi Nebel, Felix Bieker & Martin Rost

Release date:
May 2016


Publication Series: Forum for Privacy and Self-determination in the Digital World

Our world becomes more and more digitalized and interconnected. Many offers by private businesses or the government are being supplemented by online services or even replaced completely. These services coincide with the collection of personal data. Respective regulations are being defined by the offering organizations while users can merely decide on whether they wish to use these service accepting these regulations or not. This power asymmetry has been reinforced through technology, which automates the collection and evaluation of data and transfers broadband networks worldwide. Most citizens are only partly aware of this relationship and its impact on privacy and basic rights, even though many reports on "data mishap" and governmental supervision have appeared in the media over the years.

Data protection addresses this power asymmetry between organizations and individuals and aims to guarantee the rights of those affected. In this view, every organization is regarded as a potential aggressor on the rights of individuals, who appear as structurally weaker risk takers and need to be protected from those notorious infringements. 

This White Paper aims to provide a first fundamental information for all actors, who briefly follow up on the issue of data protection impact assessment (DPIA): 

  • Political decision-makers and data protection authorities need to define the requirements that should be applied to a DPIA procedure.
  • Data protection authorities and data protection supervisors have to consider how this new instrument can be integrated into everyday workflows and how it can be used productively for protecting affected citizens.
  • Researchers, component developers, system aggregators and data processors have to clarify the new demand they face, how to deal with them by changing operational tasks and processes respectively.

Link to publication