[OpenSpec] DPIA (Privacy Impact Assessment) Tooling

[rubenvdlinde]

DPIA (Privacy Impact Assessment) Tooling

Status: Proposal
Scope: Org-wide (all Conduction apps, priority on personal-data apps)
Spec: openspec/changes/dpia-tooling/proposal.md

Problem

DPIAs are legally required (AVG/GDPR Art. 35) for processing that poses high risk to data subjects. 25 tender sources demand DPIA documentation/tooling. Our apps process personal data (cases, contacts, documents) but have no structured DPIA support.

Broader AVG/GDPR demand: 149 tender sources.

Proposed Solution

Create DPIA templates and tooling for privacy impact assessments, plus privacy-by-design features:

• DPIA template per app -- what data is processed, legal basis, risks, mitigations
• Pre-filled DPIA from data model -- auto-analyze OpenRegister schemas for personal data fields
• Privacy dashboard -- Nextcloud admin overview of personal data across all apps
• DSAR tooling -- export all data for a person (BSN/name) for data subject access requests
• Right to be forgotten -- delete/anonymize all data for a person across OpenRegister
• Verwerkingsregister -- auto-generated data processing register from app configurations
• Retention policy enforcement -- auto-flag objects past retention date
• Privacy-by-design CI checklist -- PR template checks for privacy considerations

Standards

Standard	Article	Tender Demand
AVG/GDPR	Art. 35 (DPIA)	25 sources
AVG/GDPR	Art. 30 (verwerkingsregister)	149 sources
AVG/GDPR	Art. 15-17 (data subject rights)	149 sources
BIO	Privacy controls	170 sources

Priority Apps

High: Procest, Pipelinq, Docudesk, ZaakAfhandelApp
Medium: OpenRegister, OpenConnector, OpenCatalogi
Lower: NL Design, MyDash, SoftwareCatalog, LarpingApp