I need to draft a DPIA, what is the minimum content?
A DPIA describes the processing, assesses the risks to data subjects and records the safeguards. GDPR Article 35 gives the building blocks, the Dutch DPA and EDPB publish practical templates.
Try this first
- 1Describe the processing concretely: purpose, data categories, subject groups, retention, recipients and any transfers outside the EEA.
- 2Test necessity and proportionality. Can you reach the same goal with less data or less invasively? Document why the current setup is the right one.
- 3Run the risk analysis from the data subject's perspective, not yours. Think unauthorised access, unwanted linking, profiling or discrimination.
- 4Tie measures to each risk: technical (encryption, access control, logging) and organisational (training, policy, contracts).
- 5Have the DPO or a privacy lawyer review, get board sign-off, and put a re-assessment date in the calendar.
When to bring us in
If you process special-category data at scale or run profiling with legal effects, get a specialist to review before go-live.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.