[OpenSpec] DPIA (Privacy Impact Assessment) Tooling #8
Description
DPIA (Privacy Impact Assessment) Tooling
Status: Proposal
Scope: Org-wide (all Conduction apps, priority on personal-data apps)
Spec: openspec/changes/dpia-tooling/proposal.md
Problem
DPIAs are legally required (AVG/GDPR Art. 35) for processing that poses high risk to data subjects. 25 tender sources demand DPIA documentation/tooling. Our apps process personal data (cases, contacts, documents) but have no structured DPIA support.
Broader AVG/GDPR demand: 149 tender sources.
Proposed Solution
Create DPIA templates and tooling for privacy impact assessments, plus privacy-by-design features:
- DPIA template per app -- what data is processed, legal basis, risks, mitigations
- Pre-filled DPIA from data model -- auto-analyze OpenRegister schemas for personal data fields
- Privacy dashboard -- Nextcloud admin overview of personal data across all apps
- DSAR tooling -- export all data for a person (BSN/name) for data subject access requests
- Right to be forgotten -- delete/anonymize all data for a person across OpenRegister
- Verwerkingsregister -- auto-generated data processing register from app configurations
- Retention policy enforcement -- auto-flag objects past retention date
- Privacy-by-design CI checklist -- PR template checks for privacy considerations
Standards
| Standard | Article | Tender Demand |
|---|---|---|
| AVG/GDPR | Art. 35 (DPIA) | 25 sources |
| AVG/GDPR | Art. 30 (verwerkingsregister) | 149 sources |
| AVG/GDPR | Art. 15-17 (data subject rights) | 149 sources |
| BIO | Privacy controls | 170 sources |
Priority Apps
High: Procest, Pipelinq, Docudesk, ZaakAfhandelApp
Medium: OpenRegister, OpenConnector, OpenCatalogi
Lower: NL Design, MyDash, SoftwareCatalog, LarpingApp