An important aspect of the General Data Protection Regulation (GDPR) that may be new to companies is the requirement set forth in Articles 35 and 36 that they conduct data protection impact assessments (DPIAs) when embarking on new data processing activities. While some organizations may have experience with DPIAs, often referred to as Privacy Impact Assessments in the United States, many may be unfamiliar with how they should be carried out and what data protection authorities look for when they review them.

Companies may find help in the Belgian Privacy Commission’s Recommendation on Data Protection Impact Assessments and the prior consultation requirements provided for by Articles 35 and 36. The Recommendation provides guidance about the core elements and requirements of a data protection impact assessment, when such assessments are required, and when in the product or service development cycle they should be carried out.

The Recommendations indicate that a DPIA is not mandatory for every processing operation but required where processing is “likely to result in high risk to the rights and freedoms” of data subjects. To arrive at that determination, the Belgian DPA directs companies to Guidelines recently released by the Article 29 Working Party, “Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679,” which articulate nine criteria to consider in determining whether the processing of personal data is likely to create such risks. If two of these are detected, the Belgian DPA states that a DPIA must be conducted.

The Belgian DPA states that the impact assessment must be conducted before processing of personal data begins and characterizes DPIAs as helpful tools for companies making decisions about their data processing activities.

According to the recommendation, the essential information to be included in a DPIA include:

  • Description of the processing under consideration;
  • Description of the purpose of personal data involved, categories of recipients of the data and for how long the data is retained;
  • The manner in which the data is saved, e.g., cloud, software, paper, etc.
  • Evaluation of the necessity of processing and whether it is proportional to the purpose of the processing.

The DPIA must also include a risk assessment of the processing, including its analysis and evaluation of the risks. While companies are free to choose a method so long as it results in objective evaluation of the risks, the Belgian DPA recommends the use of existing risk management methods. Finally, the DPIA must reflect the measures taken to address identified risks, ensure protection of the data and comply with the GDPR.

The GDPR provides that in some cases, companies consult with data protection authorities prior to commencing new processing. However, the Belgian DPA states that consultation is necessary only when the risk posed by processing is high. If the risks can be mitigated, then a prior consultation is not mandatory.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact