A data protection impact assessment (DPIA) is a systematic process to help you identify, assess and minimise the privacy risks in a project.
It is a new obligation under the General Data Protection Regulation (GDPR) for processing that is likely to result in a high risk to the rights and freedoms of individuals.
Three categories of processing will always require a DPIA:
- systematic and extensive profiling with significant effects
- large scale use of sensitive data
- public monitoring
As well as these, the Information Commissioner's Office (ICO) says further ten types of processing will require a DPIA:
- new technologies (including artificial intelligence)
- denial of service based on automated decision-making, including profiling
- large-scale profiling of individuals
- any processing of biometric data
- processing of genetic data, unless by a health professional providing health care directly to the data subject
- combining, comparing or matching personal data obtained from multiple sources
- invisible processing of personal data obtained from a third party in specific circumstances
- processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment
- use of data to target children or other vulnerable individuals
- where processing poses risk of physical harm in case of data breach
See examples of processing that is likely to result in a high risk to individuals.
It is good practice to carry out a DPIA for any other major project, which requires the processing of personal data.
Data protection impact assessment process
You should carry out a DPIA as early as possible within any new project or product life cycle. This will allow you to incorporate its findings and recommendations into the design of the data processing.
The GDPR does not say which DPIA process you must follow. Typically, the process will involve the following key steps:
- identify the need for a DPIA
- describe the processing
- consider consultation
- assess necessity and proportionality
- identify data protection and related risks
- identify measures to reduce or eliminate the risks
- sign off and record the outcomes of the DPIA
- integrate data protection solutions into the project
- keep under review
The Information Commissioner's Office (ICO) provides a code of practice on conducting privacy impact assessments. You can also read their summary guidance on DPIA process.
Data protection impact assessment template
If you have carried out a DPIA and identified a high risk, and you cannot take measures to reduce this risk, you need to consult the ICO. You cannot begin the processing until you have done so. If you are able to mitigate the risk identified through the DPIA, then you won't need to contact the ICO.
Privacy by design and default
A data protection impact assessment is a key component of the GDPR's new 'privacy by design and by default' approach. The legislation places an obligation on data controllers to integrate technical and organisational measures for data protection into their processing activities.
In short, the GDPR requires:
- data protection by design - ie data controllers must put safeguards and security measures in place, such as pseudonymisation, to minimise personal data processing
- data protection by default - ie data controllers should only process data that is necessary, to an extent that is necessary, and only store data as long as necessary
Embedding data privacy features into the design of projects can help you:
- identify potential problems at an early stage
- save time and money addressing problems early
- increase awareness of privacy and data protection across the organisation
- minimise the potential and likelihood of GDPR breach
- minimise intrusion and negative impact of processing on individuals
The ICO has published further guidance on privacy by design.
Breach of DPIA duties
Failure to adequately conduct data protection impact assessment when required is a breach of the GDPR and could lead to fines of up to 2 per cent of an organisation's annual global turnover or €10 million - whichever is greater. See more on GDPR penalties and enforcement.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.