Click here for information about consulting the ICO about your data protection impact assessment.

At a glance

  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

Checklists

DPIA awareness checklist

We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.

Our existing policies, processes and procedures include references to DPIA requirements.

We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.

We have created and documented a DPIA process.

We provide training for relevant staff on how to carry out a DPIA.

DPIA screening checklist

We always carry out a DPIA if we plan to:

Use systematic and extensive profiling or automated decision-making to make significant decisions about people.

Process special category data or criminal offence data on a large scale.

Systematically monitor a publicly accessible place on a large scale.

Use new technologies.

Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.

Carry out profiling on a large scale.

Process biometric or genetic data.

Combine, compare or match data from multiple sources.

Process personal data without providing a privacy notice directly to the individual.

Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.

Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.

Process personal data which could result in a risk of physical harm in the event of a security breach.

We consider whether to do a DPIA if we plan to carry out any other:

Evaluation or scoring.

Automated decision-making with significant effects.

Systematic processing of sensitive data or data of a highly personal nature.

Processing on a large scale.

Processing of data concerning vulnerable data subjects.

Innovative technological or organisational solutions.

Processing involving preventing data subjects from exercising a right or using a service or contract.

We consider carrying out a DPIA in any major project involving the use of personal data.

If we decide not to carry out a DPIA, we document our reasons.

We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.

DPIA process checklist

We describe the nature, scope, context and purposes of the processing.

We ask our data processors to help us understand and document their processing activities and identify any associated risks.

We consider how best to consult individuals (or their representatives) and other relevant stakeholders.

We ask for the advice of our data protection officer.

We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance.

We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.

We identify measures we can put in place to eliminate or reduce high risks.

We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.

We implement the measures we identified, and integrate them into our project plan.

We consult the ICO before processing, if we cannot mitigate high risks.

We keep our DPIAs under review and revisit them when necessary.

In brief

What’s new under the GDPR?

The GDPR introduces a new obligation to do a DPIA before carrying out types of processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk that you cannot mitigate, you must consult the ICO.

This is a key element of the new focus on accountability and data protection by design.

Some organisations already carry out privacy impact assessments (PIAs) as a matter of good practice. If so, the concept will be familiar, but you still need to review your processes to make sure they comply with GDPR requirements. DPIAs are now mandatory in some cases, and there are specific legal requirements for content and process.

If you have not already got a PIA process, you need to design a new DPIA process and embed this into your organisation’s policies and procedures.

In the run-up to 25 May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA, or review your PIA, for anything which is likely to be high risk. You do not need to do a DPIA if you have already considered the relevant risks and safeguards in another way, unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

What is a DPIA?

A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.

A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.

DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.

It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and you should see it as an ongoing process, and regularly review it.

When do we need a DPIA?

You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

In particular, the GDPR says you must do a DPIA if you plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale; or
  • systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data. You can use or adapt the checklists to help you carry out this screening exercise.

How do we carry out a DPIA?

A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:

You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.

The process is designed to be flexible and scalable. You can use or adapt our sample DPIA template, or create your own. If you want to create your own, you may want to refer to the European guidelines which set out Criteria for an acceptable DPIA.

Although publishing a DPIA is not a requirement of GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence.  We would therefore recommend that you publish your DPIAs, were possible, removing sensitive details if necessary.

Do we need to consult the ICO?

You don’t need to send every DPIA to the ICO and we expect the percentage sent to us to be small. But you must consult the ICO if your DPIA identifies a high risk and you cannot take measures to reduce that risk. You cannot begin the processing until you have consulted us.

If you want your project to proceed effectively then investing time in producing a comprehensive DPIA may prevent any delays later, if you have to consult with the ICO.

You need to email us and attach a copy of your DPIA.

Once we have the information we need, we will generally respond within eight weeks (although we can extend this by a further six weeks in complex cases).

We will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases we may advise you not to carry out the processing because we consider it would be in breach of the GDPR. In appropriate cases we may issue a formal warning or take action to ban the processing altogether.

Further reading – ICO guidance

We have published more detailed guidance on DPIAs.

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 published Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248), which have been endorsed by the EDPB.

Other relevant guidelines include:

Guidelines on Data Protection Officers (‘DPOs’) (WP243)

Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 (WP251)