The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

DPIA content

DPIAs always include the appropriate information and are comprehensively documented.

Ways to meet our expectations:

  • Your organisation has a standard, well-structured DPIA template which is written in plain English.
  • DPIAs:
    • include the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.
  • DPIAs identify measures that eliminate, mitigate or reduce high risks.
  • You have a documented process, with appropriate document controls, that you review periodically to ensure it remains up to date.
  • You record your DPO’s advice and recommendations and the details of any other consultations.
  • Appropriate people sign off DPIAs, such as a project lead or senior manager.

Can you answer yes to the following questions?

  • Do staff use the DPIA template and find it easy to understand?
  • Is the process effective?
  • Is the DPO satisfied that their advice is taken into account?
  • Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?