These pages sit alongside our Guide to the GDPR and provide more detailed guidance for UK organisations on Data Protection Impact Assessments (DPIAs) under the GDPR. They replace our previous code of practice on conducting privacy impact assessments.                          

DPIAs are a tool to help you identify and minimise the data protection risks of new projects. They are part of your accountability obligations under the GDPR, and an integral part of the ‘data protection by default and by design’ approach.

An effective DPIA helps you:

  • to identify and fix problems at an early stage,
  • demonstrate compliance with your data protection obligations,
  • meet individuals’ expectations of privacy; and
  • help avoid reputational damage which might otherwise occur.

In some cases the GDPR says you must carry out a DPIA, but they can be a useful tool in other cases too.

This guidance explains the principles and process that form the basis of a DPIA. It helps you to understand what a DPIA is for, when you need to carry one out, and how to go about it. It also explains the role of the ICO, when you have to consult us, and how that consultation process works.

The process described in this guidance is designed to be flexible enough to work for organisations of any size and in any sector – although if you are processing for law enforcement purposes you should read this alongside the Guide to law enforcement processing. If you are likely to conduct regular DPIAs, you can also use this guidance as a starting point to develop your own bespoke DPIA process and methodology which fits with your particular needs and existing working practices.

For an introduction to the key themes and provisions of the GDPR, including broader accountability obligations, you should refer back to the Guide to the GDPR. You can navigate back to the Overview at any time using the link on the top of this page. Links to other relevant guidance and sources of further information are also provided throughout.

When you download this guidance, the corresponding content from the Guide to the GDPR will also be included. So you will have all the relevant information on this topic.