The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

DPIA risk mitigation and review

You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.

Ways to meet our expectations:

  • You have a procedure to consult the ICO if you cannot mitigate residual high risks.
  • You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
  • You do not start high risk processing until mitigating measures are in place following the DPIA.
  • You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
  • You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
  • You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

Can you answer yes to the following questions?

  • Do staff understand when to consult the ICO?
  • Do you effectively integrate outcomes from DPIAs into projects?
  • Are appropriate stakeholders aware of the outcomes of DPIAs?