Data protection impact

assessments
4 min read
Last reviewed or updated 23/09/2022

What you'll learn:

 What is a data protection impact assessment?

 When should a DPIA be used?
 What should a DPIA cover?
 What happens after a DPIA is completed?
 What happens if a DPIA is not carried out?

When organisations handle personal data, they need to comply with the relevant data
protection laws. This includes completing a data protection impact assessment where any
personal data processing is likely to result in a high risk to individuals. Read this guide to find
out more.

Make your Data protection impact assessment (DPIA)

Get started

What is a data protection impact assessment?

A Data protection impact assessment (DPIA) is a process designed to help organisations
(often known as ‘data controllers’) identify and minimise the data protection risks of a
project. A DPIA is an essential component of an organisation’s accountability
obligation under the UK General Data Protection Regulations (GDPR) and helps
organisations assess and demonstrate how they comply with their data protection
obligations.

When should a DPIA be used?

DPIAs need to be completed where the processing (eg obtaining or recording) of personal
data (eg names, addresses and information about racial or ethnic origin) is likely to result in
a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any
significant physical, material or non-material harm to individuals. To determine whether a
risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be
considered.
The Information Commissioner’s Office (ICO) has published a list of data processing
activities that it considers likely to result in a high risk to individuals, and which require a
DPIA. Examples include the processing of biometric data (eg fingerprint data/facial images),
processing that involves tracking an individual’s geolocation or behaviour and the combining,
comparing or matching of personal data obtained from multiple sources. For more
information, see the ICO’s guidance and list of examples of data processing likely to result
in a high risk.
Note that several types of data processing will always require a DPIA. For example, where
the processing involves the extensive profiling of individuals (eg employers monitoring staff
internet habits to ensure they aren’t using it for illicit purposes) or where the processing
involves monitoring of a publicly accessible area on a large scale. For more information, see
the ICO’s guidance.
Where the processing of personal data is likely to result in a high risk to individuals, a DPIA
needs to be carried out before any data is processed.
The ICO’s DPIA screening checklist can help determine whether a DPIA is needed.

What should a DPIA cover?

DPIAs must:
 describe the nature, scope, context and purposes of the processing
 provide details of any consultations
 assess the necessity, proportionality and compliance measures of the processing
 identify and assess risks to individuals
 identify any additional measures to help ease those risks
 sign-off

The processing’s nature, scope, context and purposes

The nature of the processing is what the organisation plans to do with the personal data (eg
how the data is to be collected and stored, how long the data is to be kept and who has access
to the data).
The scope of the processing is what the processing covers (eg the extent and frequency of the
processing and the geographical areas covered).
The context of the processing is an assessment of the wider picture, including the current
state of technology in the area (eg whether it is new), and whether there are any existing
public concerns about its use.
The purpose of the processing is the reason why the organisation wants to process the
personal data (eg what the intended outcomes of the processing are and the benefits that are
expected).
For more information, read the ICO’s guidance.

Consultations

The following parties should be consulted as part of the DPIA:

 any relevant internal stakeholders at the organisation (especially those with
responsibility for information security)
 independent experts (eg IT, sociology or ethicists experts), where appropriate
 legal advisers for specific advice on your situation (note that there is no specific
requirements to do so)
For more information, read the ICO’s guidance.

Necessity, proportionality and compliance

Organisations should consider whether their plan helps to achieve their purpose and if there is
any other way to achieve the same result. The DPIA should include details of how the
organisation will ensure compliance with data protection law, as this is a good measure of
necessity and proportionality. Organisations should set out:
 the lawful basis for the processing
 how function creep (ie use or personal data for a purpose that is not the original
specified purpose) will be prevented
 how data quality will be ensured (under the GDPR, personal data has to be of good
quality, ie the data has to be accurate and up-to-date)
 how data minimisation will be ensured (personal data should not be kept for longer
than its useful purpose in line with your data retention policy, if one exists. Where
you have a data retention policy in place, link to it in your DPIA). Ask a lawyer if
you require a data retention policy
 how privacy information will be provided to individuals
 how individuals’ rights will be implemented and supported
 how any data processors (ie anyone who carries out the instructions of the data
controller in its processing of personal data) ensure compliance with data protection
laws. Data processors should be engaged in the DPIA process to ensure their policies
and procedures are compliant and the DPIA should set out how data protection laws
are complied with (eg by providing links to the processor’s compliance and/or
security webpages)
 any safeguards they've put in place for any international transfers of data. As this
can be very complex it is recommended that you Ask a lawyer for more information
For more information, read Compliance for DPIAs and the ICO’s guidance.

Risk
Organisations need to consider the potential impact on individuals and any harm or damage
(physical, emotional or material) the processing may cause. Organisations should, for
example, consider whether the data processing could contribute to:
 the inability to exercise rights (eg privacy rights)
 the inability to access services/opportunities
 the loss of control over the use of personal data
 discrimination
 identity theft/fraud
 financial or physical harm
To determine the overall risk associated with the processing (ie whether the risk is ‘high
risk’), organisations should consider the likelihood and severity of the possible harm. The
likelihood of possible harm can be:
 remote - it is possible that the risk may occur but it’s not likely
 possible - the risk may happen or reoccur on a semi-regular basis
 probable - the risk will reoccur on a regular basis, pointing to some failure in controls
The severity of the possible harm can be:
 minimal - involving short-term minimal embarrassment to an individual, small
amounts of personal data of the data subject (ie the individual the data relates to) and
minimal disruption or inconvenience in the service delivery to the individual
 significant - involving significant amounts of personal data being transferred outside
of the organisation, leading to significant actual or potential detriment including
emotional distress, as well as both physical and financial damage) and/or safeguarding
concerns
 severe - involving significant amounts of personal data being transferred outside of
the organisation leading to a proven detriment and/or high risk safeguarding concerns.
Data subjects may encounter significant or irreversible consequences which they may
not overcome (eg layoffs or financial jeopardy)
Based on the likelihood and severity of the risk(s), the overall risk needs to be determined.
The overall risk can be:
 low - this is an acceptable risk, with no further action or additional controls required.
Risks at this level should be monitored and reassessed at appropriate intervals
 medium - efforts should be made to reduce the risk, provided this is not
disproportionate. The organisation should determine the need for improved control
measures
 high - immediate action must be taken to manage the risk and a number of control
measures may be required
For more information, read the ICO’s guidance.
Risk mitigation

Organisations should consider how each risk identified could be reduced or eliminated
altogether, taking into account the costs of any mitigating measures to consider whether they
are appropriate.
Bear in mind that not all risks need to be eliminated - organisations may decide that some
risks (even if they are high risk) may be acceptable (eg due to the benefits of processing or
because mitigation is too difficult). The ICO should be consulted if a risk that cannot be
mitigated is identified. Where a risk with a high risk level is identified that cannot be
mitigated, the ICO must be consulted before the processing can be started. The ICO will
give written advice within 8 weeks (or 14 weeks in complex cases). If appropriate, they may
issue a formal warning not to process the data, or ban the processing altogether.
For more information, read the ICO’s guidance.

Sign-off

A DPIA should record:

 what mitigating measures the organisation plans to take
 whether the identified risks have been eliminated, reduced or accepted
 the overall ‘residual risk’ after taking mitigating measures
 whether the ICO needs to be consulted
The completed DPIA should then be provided to the organisation’s data protection officer
(DPO), where one exists. The DPO should advise on whether the processing is compliant and
can go ahead. If the DPO’s advice is not followed, the reasons for this need to be recorded.

What happens after a DPIA is completed?

Once a DPIA has been carried out, its outcomes should be integrated into the project plan.
Any action points should clearly be identified and assigned to the party responsible for
implementing them (eg under the organisation’s usual project-management process).
The ongoing performance of the DPIA should be monitored as it may be necessary to carry
out another assessment before the project plans are finalised. Similarly, a DPIA may need to
be repeated if there is a substantial change to the nature, scope, context or purposes of the
data processing.
It is considered to be good practice to publish finalised DPIAs to abide by transparency and
accountability obligations, increase trust in the organisation’s data processing activities and
facilitate and improve individuals’ ability to exercise their rights in relation to personal data.

What happens if a DPIA is not carried out?