What are you looking for?

Article

DPIAMA: An integrated impact assessment for responsible AI use

2 min read
April 8, 2026
DPIAMA: An integrated impact assessment for responsible AI use

Innovation with data and AI requires more than just safeguarding privacy risks. Especially when things become complex—where ethics, human rights, and compliance intersect—it is essential that the right people come together and engage in meaningful dialogue. A DPIAMA combines a DPIA and an IAMA, bringing business, development teams, and compliance together at one table.

Why a DPIAMA?

A DPIAMA accelerates innovation by ensuring that all relevant disciplines collaborate from the very start of a project, working toward a shared goal: a well-functioning solution that also meets all applicable requirements.

It ensures that the right questions are addressed at the right time. The core principle is that all roles involved in the development of AI actively contribute from the beginning, thinking along about both the design and the responsible use of the solution. No “us versus them,” but a shared understanding and collective responsibility.

How does it work?

A DPIAMA consists of three steps:

  • Intake
    In a short session, we jointly define the scope, objectives, and context of the assessment.
  • Workshop
    In a half-day session, we bring together all relevant stakeholders: from product owner to developer, from end user to privacy and security specialist. We facilitate the discussion, provide structure, and document everything.
  • Reporting
    A clear and structured report outlining risks, opportunities, measures, and next steps—including the rationale behind decisions. The output is immediately usable and tailored to the client’s needs.

All discussions and decisions from the workshop are carefully documented, providing not only insight into choices and risks but also enabling organizations to efficiently meet compliance requirements and ensure responsible AI implementation.

Depending on the complexity and the stage of development or procurement, a second workshop may be conducted a few months later. This can be useful when initial assumptions or starting points were not yet fully defined and need to be revisited and validated.

We facilitate, you focus on what truly matters

What does it deliver?

The strength of a DPIAMA lies in combining assessments that are traditionally performed separately. Without integration, this often results in a fragmented overview of risks and measures, with stakeholders moving from one session to another and losing momentum.

A DPIAMA offers an integrated approach and is:

  • Interactive & multidisciplinary
    Not a checkbox exercise, but a real conversation. Its strength lies in interaction and bringing together diverse perspectives.
  • Efficient
    One workshop provides a complete overview of relevant risks, avoiding time loss from separate sessions or repeated discussions.
  • Integrated & responsible-by-design
    A DPIAMA looks beyond disciplinary boundaries, laying the foundation for both responsible and innovative use of data and AI.
  • From opposition to collaboration
    It breaks the traditional “compliance versus business” mindset, replacing it with a shared and widely supported perspective.

Proven approach

This methodology builds on our successful “Hoera, een DPIA!” approach, which has been applied hundreds of times since the introduction of the GDPR in 2018. It has now been expanded to also address risks related to public values, human rights, and AI-specific challenges.

This is visualized in our DPIAMA wheel.

Participants in these workshops are consistently enthusiastic about the approach.

Want to learn more about how a DPIAMA can accelerate your innovation while ensuring responsible use of data and AI?

Get in touch with Dorus-Jan

Related insights

Your DPIA isn’t a tick box exercise: 3 ways to get more out of your DPIA
Article
2 years ago | 3 min read
Your DPIA isn’t a tick box exercise: 3 ways to get more out of your DPIA

The DPIA (Data Protection Impact Assessment) is unfortunately often regarded as a tick box exercise: something you simply have to do. But once the DPIA is completed, it's done: there's a good chance the outcome will disappear into the proverbial (and sometimes even literal) dusty cabinet. The DPIA is, in fact, a wonderful instrument for managing privacy risks and making targeted improvements to your processes. How can this be achieved? There are various ways. Here are three examples of how a DPIA can be used as an improvement instrument rather than being a mere paper tiger.

AVG Maturity scan: insight into the privacy maturity level within ZorgSpectrum
Case study
2 years ago | 1 min read
AVG Maturity scan: insight into the privacy maturity level within ZorgSpectrum

ZorgSpectrum helps people who live at home and need (structurally or temporarily) some extra support. Among other things, ZorgSpectrum does this through assistance with housekeeping, support in difficult situations, district nursing and palliative home care. Protecting client and employee data is a natural part of ZorgSpectrum's duty of care. After all, privacy affects clients and employees of ZorgSpectrum, directly or indirectly, at different levels and with different impacts. To know where the organization stands in terms of AVG implementation, ZorgSpectrum asked Highberg to perform an AVG Maturity scan.

Also of Interest