The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

DPIA policy and procedures

You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.

Ways to meet our expectations:

  • You have a DPIA policy which includes:
    • clear procedures to decide whether you conduct a DPIA;
    • what the DPIA should cover;
    • who will authorise it; and
    • how you will incorporate it into the overall planning.
  • You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
  • If the screening checklist indicates that you do not need a DPIA, you document this.
  • Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
  • Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.
  • Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data and, where relevant, you train staff in how to carry out a DPIA.
  • You assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.

Can you answer yes to the following questions?

  • Are your policies and procedures easy to locate?
  • Are staff aware of the process?
  • Do they consider it effective?
  • Have they had adequate training?
  • Are DPIAs conducted by those with appropriate authority to effect change?