Download PDFOpen PDF in browser

Persona-oriented Data Protection Impact Assessment for Small Businesses

12 pagesPublished: May 26, 2023


The European (EU) General Data Protection Regulation (GDPR) is applicable since May 2018 and has since posed major challenges for small businesses with limited knowledge and resources. According to Art. 35 of the GDPR, a so-called ‘Data Protection Impact Assessment’ (DPIA) is mandatory if a processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. There is a demand for low-threshold, practical instruments that support the required DPIA. The objective of this research was to develop a new DPIA instrument that meets the needs – as unit of analysis – of non-technology small businesses and complies with the requirements of the EU GDPR. Design Science Research was used as the methodological framework and identified personas were drivers in the development. The result is two variants of instruments that have been carefully evaluated and proven to be valuable.

Keyphrases: data protection, Data Protection Impact Assessment, European General Data Protection Regulation, small businesses

In: Aurona Gerber and Knut Hinkelmann (editors). Proceedings of Society 5.0 Conference 2023, vol 93, pages 152--163

BibTeX entry
  author    = {Bettina Schneider and Petra Maria Asprion and Ilya Misyura and Natalie Jonkers and Esther Zaugg},
  title     = {Persona-oriented Data Protection Impact Assessment for Small Businesses},
  booktitle = {Proceedings of Society 5.0 Conference 2023},
  editor    = {Aurona Gerber and Knut Hinkelmann},
  series    = {EPiC Series in Computing},
  volume    = {93},
  pages     = {152--163},
  year      = {2023},
  publisher = {EasyChair},
  bibsource = {EasyChair,},
  issn      = {2398-7340},
  url       = {},
  doi       = {10.29007/5lfs}}
Download PDFOpen PDF in browser