Deliverable 2.1: Data Protection Impact Assessment


A Data Protection Impact Assessment (DPIA) aims to identify, assess, and help address risks to the rights and freedoms of data subjects arising from data processing. DPIA is a risk-focused assessment that complements the controller’s overall risk management framework. A DPIA is legally required by the GDPR for processing of personal data that is likely to pose a high risk to the fundamental rights of natural persons.  

A DPIA can also be considered a tool for building and demonstrating regulatory compliance. Having a well-articulated DPIA shows the data controller’s efforts towards ensuring compliance and may help limit liability in certain cases. Additionally, the data controller may use a DPIA to help foster trust among external stakeholders by, for example, actively engaging relevant groups (especially data subjects) in the process of preparing the DPIA, and/or making parts of the DPIA publicly available. 

EPND consortium members have conducted a community DPIA assessing the way data protection principles map to dementia sample and data sharing networks. This EPND DPIA aims to develop a shared understanding of the flows of personal data in the EPND context. Additionally, it seeks to provide analysis to support Cohorts to conduct their own DPIAs where needed. Lastly, it aspires to inform the design and operation of EPND, such as whether it will offer central, federated, or hybrid IT platforms. Key elements of this exercise are to identify GDPR roles (e.g., controllers), privacy risks, privacy safeguards, and privacy-by-design opportunities for Cohorts and platforms. This effort should be seen as part of a broader conversation with Cohorts, partners and other stakeholders to determine the aims, structure, processes, and requirements of the EPND project. 

Click the link below to download the DPIA: