NOREA, the professional association for IT-auditors in the Netherlands, has recently published the ‘NOREA Guidance DPIA’. The ‘NOREA Guidance DPIA’ (Data Protection Impact Assessment) does not only comply with the GDPR and the criteria issued by the EDPB for an acceptable DPIA but also ties in with ISO31000/31010 for developing the privacy risk assessment and risk treatment. In ISO 31010 several methods/techniques are described for performing risk assessments.

In the ‘NOREA Guidance DPIA’ the choice was made to work out the bowtie methodology as an example for risk assessment. The Working Group believed that the bowtie technique is a particularly powerful tool to explicitly analyze the negative consequences of risks and gain insight. Therefore, not only better measures are taken but through the visualization a broader support base among stakeholders of the DPIA is accomplished. This can also contribute to a better argumentation of the risk appetite of the organization.

The Dutch version of the ‘NOREA Guideline DPIA’ is published on The English version will be added soon to this page.

To illustrate the use of bowtie for risk assessment and risk treatment according to the NOREA Guide DPIA, an example is described in a paper, written by Jeroen van Puijenbroek MBA LLM EMITA CIPP/e CIPM FIP. For any questions on this topic, please contact Jeroen via

Start DPIAs with the bowtie method – Download a full copy of the paper

Are you interested to learn more about conducting DPIAs with the bowtie method? Download the paper for a more detailed explanation. Complete & submit the details below to receive a copy in your inbox right away.