The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Brexit transition period ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. If you transfer or receive data from overseas please visit our End of Transition and International Transfers pages. You should make sure you can identify any data you collected before the end of 2020 about people outside the UK, for further information, see our Q&A on Legacy Data.

On 01 January, there will not be any significant change to the UK data protection regime, or to the criteria that compel DPIAs. This guidance draws on European resources which we still consider to be relevant, and so these resources remain part of our DPIA guidance.

We will keep this guidance under review and update it as and when any aspect of your obligations or our approach changes. Please continue to monitor our website for updates.

This guidance discusses Data Protection Impact Assessments (DPIAs) in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you understand or complete a DPIA in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

The guidance has been revised to adopt the European Data Protection Board’s 22/2018 opinion on the ICO’s list of processing operations subject to the requirement of conducting a DPIA.

If you haven’t yet read DPIAs in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

Contents

What is a DPIA?

When do we need to do a DPIA?

What is a DPIA?

Why are DPIAs important?

How are DPIAs used?

What kind of ‘risk’ do they assess?

What is the general rule?

What does ‘high risk’ mean?

What does ‘likely to result in high risk’ mean?

What types of processing automatically require a DPIA?

What other factors might indicate likely high risk?

What does the ICO consider likely to result in high risk?

What does ‘innovative technologies’ mean?

What does ‘systematic and extensive’ mean?

What does ‘significantly affect’ mean?

What does ‘invisible processing’ mean?

What does ‘vulnerable individual’ mean?

What does ‘large scale’ mean?

Are there any exemptions?

How do we carry out a DPIA?

Do we need to consult the ICO?

 

What are the key elements of a DPIA process?

Is there a template we can use?

Who should do the DPIA?

What is the role of the DPO?

Step 1: How do we decide whether to do a DPIA?

Step 2: How do we describe the processing?

Step 3: Do we need to consult individuals?

Step 3: Do we need to consult anyone else?

Step 4: How do we assess necessity and proportionality?

Step 5: How do we identify and assess risks?

Step 6: How do we identify mitigating measures?

Step 7: How do we conclude our DPIA?

What happens next?

When do we need to consult the ICO?

How do we consult the ICO?

What happens next?

What happens if we do not accept your DPIA?

How is our DPIA assessed?

How long does it take?

What are the possible outcomes?

Can we appeal?

 

Examples of processing ‘likely to result in high risk’

 

List of examples of processing 'likely to result in high risk'