The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This guidance discusses Data Protection Impact Assessments (DPIAs) in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you understand or complete a DPIA in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

The guidance has been revised to adopt the European Data Protection Board’s 22/2018 opinion on the ICO’s list of processing operations subject to the requirement of conducting a DPIA.

If you haven’t yet read DPIAs in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.


What's new?

What is a DPIA?

Is this a new obligation?

What should we do if we already carry out DPIAs?

What should we do it we don’t already carry out DPIAs?

What is a DPIA?

Why are DPIAs important?

How are DPIAs used?

What kind of ‘risk’ do they assess?

When do we need to do a DPIA?

How do we carry out a DPIA?

What is the general rule?

What does ‘high risk’ mean?

What does ‘likely to result in high risk’ mean?

What types of processing automatically require a DPIA?

What other factors might indicate likely high risk?

What does the ICO consider likely to result in high risk?

What does ‘innovative technologies’ mean?

What does ‘systematic and extensive’ mean?

What does ‘significantly affect’ mean?

What does ‘invisible processing’ mean?

What does ‘vulnerable individual’ mean?

What does ‘large scale’ mean?

Are there any exemptions?

What are the key elements of a DPIA process?

Is there a template we can use?

Who should do the DPIA?

What is the role of the DPO?

Step 1: How do we decide whether to do a DPIA?

Step 2: How do we describe the processing?

Step 3: Do we need to consult individuals?

Step 3: Do we need to consult anyone else?

Step 4: How do we assess necessity and proportionality?

Step 5: How do we identify and assess risks?

Step 6: How do we identify mitigating measures?

Step 7: How do we conclude our DPIA?

What happens next?

Do we need to consult the ICO?

When do we need to consult the ICO?

How do we consult the ICO?

What happens next?

What happens if we do not accept your DPIA?

How is our DPIA assessed?

How long does it take?

What are the possible outcomes?

Can we appeal?

Examples of processing ‘likely to result in high risk’


List of examples of processing 'likely to result in high risk'