At a glance

  • Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
  • DPIAs can be an integral part of taking a privacy by design approach.
  • The GDPR sets out the circumstances in which a DPIA must be carried out.

In brief

What is a data protection impact assessment?

Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

The ICO has promoted the use of DPIAs as an integral part of taking a privacy by design approach.

See the ICO’s conducting privacy impact assessments code of practice for good practice advice.  We are working to update this guidance to reflect the provisions of the GDPR. In the meantime, the existing guidance is a good starting point for organisations.

Annex 1 of the ICO’s paper on big data, artificial intelligence, machine learning and data protection contains practical advice on applying GDPR DPIA provisions in the specific context of big data analytics.

When do I need to conduct a DPIA?

You must carry out a DPIA when:

  • using new technologies; and
  • the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large scale processing of special categories of data or personal data relation to criminal convictions or offences.

    This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
  • large scale, systematic monitoring of public areas (CCTV).

What information should the DPIA contain?

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security and to demonstrate that you comply.
  • A DPIA can address more than one project.

In more detail – Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party has finalised its guidelines on high risk processing and DPIAs, following its consultation.

 

In more detail – ICO guidance

We are currently considering whether the ICO can provide any further detail over and above the Article 29 Working Party guidelines. We will add any additional advice we are able to provide here in due course.