At a glance

  • A data protection impact assessment (DPIA) is ‘an assessment of the impact of the envisaged processing operations on the protection of personal data’.
  • You must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals.
  • The ICO has produced guidance and screening checklists about DPIAs that you may wish to adopt.

In brief

What is a data protection impact assessment?

Data protection impact assessments or DPIAs (previously known as privacy impact assessments or PIAs) are a tool that can help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

When do we need to conduct a DPIA?

You must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects, or similarly significant effects, on individuals;
  • large scale processing of special categories of data or personal data relation to criminal convictions or offences;
  • using new technologies (for example surveillance systems).

You must take into account the nature, scope, context and purposes of the processing when deciding whether or not it is likely to result in a high risk to individuals’ rights and freedoms.

How do we carry out a DPIA?

A DPIA must contain:

  • at least a general description of your processing operations and the purposes;
  • an assessment of the risks to the rights and freedoms of individuals;
  • the measures envisaged to address those risks;
  • the safeguards, security measures and mechanisms in place to ensure you protect the personal data; and
  • a demonstration of how you are complying with Part 3 of the Act, taking into account the rights and legitimate interests of the data subjects and any other people concerned.

When do we need to send our DPIA to the ICO?

If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.

The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.

The Information Commissioner will respond within six weeks. This timescale may increase by a further month, depending on the complexity of the processing you intend to carry out.

Example

A police force is considering using a commercially available drone system for surveillance purposes. By conducting a DPIA prior to any purchase of the equipment or processing taking place, the force can establish whether or not the equipment offers adequate security for the recording, and if the use of the system is proportionate or poses a high risk to the rights and freedoms of any individuals. 

If they discover high risks after conducting a DPIA, and cannot easily mitigate any residual risk, the police force should consider consulting with the Information Commissioner for further guidance or approval.