In detail

Is this a new obligation?

Yes, the GDPR includes a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests.

This is part of the new focus on accountability and being able to demonstrate that you comply with the GDPR. It is a key element of data protection by design and by default, and also reflects the more risk-based approach to data protection obligations taken throughout the GDPR.

What should we do if we already carry out PIAs?

Privacy impact assessments (PIAs) have been used for many years as a good practice measure to identify and minimise privacy risks associated with new projects. DPIAs are very similar to PIAs, so if you already carry out PIAs in accordance with our PIA code under DPA 1998, the new process will be very familiar.

However, you will need to review and adapt your internal policies, processes and procedures to ensure they meet the requirements for DPIAs under the GDPR. The key changes include:

  • DPIAs are mandatory for any processing likely to result in a high risk (including some specified types of processing). You need to review your screening questions to make sure you comply with the new requirements.
  • You must consider the impact on any of an individuals’ rights and freedoms, including (but not limited to) privacy rights.
  • There are more specific requirements for the content of a DPIA.
  • You must seek the advice of your data protection officer (DPO), if you have one. You should also seek the views of people whose data you intend to process, or their representatives, where appropriate.
  • If after doing a DPIA you conclude that there is a high risk and you cannot mitigate that risk, you must formally consult the ICO before you can start the processing.

What should we do if we don’t already carry out PIA’s?

If you don’t have an existing PIA process, you need to ensure you understand DPIA requirements and embed them into your business practices. If you are likely to do many DPIAs, consider using this guidance as a starting point to design a bespoke DPIA process to meet your specific needs and fit in with your existing practices.

You should also review your existing processing operations to identify whether you already do anything that would be considered likely to result in high risk under the GDPR. If so, are you confident you have already adequately assessed and mitigated your project’s risks? If not, you may need to conduct a DPIA now to ensure the processing complies with the GDPR.

However, the ICO does not expect you to do a new DPIA for existing processing where you have already considered relevant risks and safeguards (whether as part of a PIA or another formal or informal risk-assessment process) – unless the nature, scope, context or purposes of the processing have changed significantly since that previous assessment.

To help you demonstrate compliance if challenged, we recommend that you document your review and your reasons for not conducting a new DPIA where relevant.

Further reading - European Data Protection Board

WP29 produced guidelines on data protection impact assessments, which have been endorsed by the EDPB.