UK General Data Protection Regulation (UK GDPR)
Data protection impact assessments
A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
When is an organisation required to carry out a data protection impact assessment?
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:
- systematic and extensive profiling with significant effects
- large scale use of special category or criminal offence data
- systematic monitoring of publicly accessible places on a large scale
When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:
- evaluation or scoring
- automated decision-making with legal or similar significant effect
- systematic monitoring
- sensitive data or data of a highly personal nature
- data processed on a large scale
- matching or combining datasets
- data concerning vulnerable data subjects
- innovative use or applying new technological or organisational solutions
- preventing data subjects from exercising a right or using a service or contract
*EU Exit has not caused any significant change to the criteria that compel DPIAs in the UK, so the ICO still considers these guidelines to be relevant.
In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases you may need to do a DPIA if only one factor is present - and it is good practice to do so.
What type of processing is likely to result in high risk?
The ICO maintains a list of processing operations that require a DPIA. These include:
- use innovative technologies (including artificial intelligence)
- use of profiling or special category data to decide on access to services
- profiling individuals on a large scale
- processing biometric data
- processing genetic data, unless by a health professional providing health care directly to the data subject
- matching data or combining datasets from different sources
- collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
- tracking individuals' location or behaviour, including but not limited to the online environment
- profiling children or targeting marketing or online services at them
processing data that might endanger the individual's physical health or safety in case of data breach
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to individual.
If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do you do a data protection impact assessment?
Typically, a DPIA will involve the following key steps:
- identify the need for a DPIA
- describe the processing
- consider consultation
- evaluate the necessity and proportionality
- identify data protection and related risks
- identify measures to reduce or eliminate the risks
- sign off and record the outcomes of the DPIA
- integrate data protection solutions into the project
- keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified.
The Information Commissioner's Office (ICO) has a summary guidance on DPIA process.
Data protection impact assessment template
You can use or adapt the ICO's sample DPIA template, or create your own based on the criteria outlined above.
Consulting the ICO about high risk processing
If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.
In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:
- issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
- impose a limitation or ban on your intended processing
If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.
Failure to carry out data protection impact assessments
DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also support compliance with data protection by design and default obligations.
Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.