Skip to main content

DPIA Workshop @ 3rd European TA Conference

Data protection and privacy impact assessments: An instrument foreseen by the new European data protection regulation

Workshop at the 3rd European Technology Assessment Conference, Cork (Ireland), 17-19 May 2017

Organisers: Michael Friedewald, Fraunhofer Institute for Systems and Innovation Research ISI, Karlsruhe, Germany; Johan Cas, Walter Peissl, ITA, Austrian Academy of Sciences, Vienna, Austria


While the proliferation of technological innovation has made the processing of personal data by automated means ubiquitous, the enforcement of the individual’s rights has not been at the forefront of concern. Carrying out a Data Protection (or Privacy) Impact Assessment, while keeping in mind its purpose of ensuring the protection of individual rights, is able to bridge this divide. In order to help organizations and enterprises to assess the data protection impact of their processing of data, the new EU General Data Protection Regulation (GDPR), under the conditions of its Article 35, prescribes the execution of a Data Protection Impact Assessment (DPIA). A DPIA is an instrument to identify and analyse risks for individuals, which exist due to the use of a certain technology or system by an organization in their various roles (as citizens, customers, patients, etc.). On the basis of the outcome of the analysis, the appropriate measures to remedy the risks should be chosen and implemented (so called „privacy by design“). Although DPIAs have been discussed for more than ten years there was no standard model of how to carry out such an assessment. Until May 2018 when the GDPR will comes into force there need to be DPIA framework(s) which are fulfilling the legal requirements.

Currently there are proposals by the French and UK Data Protection authorities and by the German „Privacy Forum„.

In the first part of the workshop (90 minutes) researchers and practioners from several disciplines will present scientific findings on Privacy Impact Assessment and Data Protection Impact Assessment respectively.  One aim is to learn from each other’s approaches.

In the second part (60 minutes) a round table of stakeholders (policymakers,  representatives of civil society and industry, etc) will discuss their perspectives on the data protection impact assessment and which extent scientific findings may help to deal with societal and political challenges

Tentative programme

Part 1: Presentations by

Part 2: Round table with

  • Andreas Krisch, President European Digital Rights (EDRi)


  • Data Protection Authorities: Marit Hansen, ULD?; EDPS (who’s responsible for DPIA?)
  • Policy Makers: Thomas Zerdick, EC (or even Paul Nemitz); Jan Philipp Albrecht/Ralf Bendrath, EP
  • Industry: Siani Pearson, HP; Matthias Schunter, Intel
  • ENISA (Stefan Schiffner), FRA (Vida Beresneviciute)