Documents for Business

In excess of 1,000 customisable documents covering every conceivable business issue.

Introduction to this document

GDPR data protection impact assessment

A data protection impact assessment is required where a new type of processing is likely to result in a high risk to the rights and freedoms of data subjects. Use our document as your starting point.

What’s a DPIA?

A data protection impact assessment (DPIA) is a risk assessment tool which can help you to identify, assess and mitigate risks to personal data with new data processing activities. You must conduct a DPIA where a type of processing, e.g. the adoption of a new process or IT system, in particular using new technologies, is likely to result in a “high risk” to the rights and freedoms of data subjects. Prior to commencing the processing, you must carry out a DPIA to assess the impact of the proposed processing operations on the protection of personal data. A single DPIA may address multiple processing operations that present similar high risks.

DPIA requirements

Under the UK GDPR, a DPIA is required in the case of: (1) systematic and extensive automated processing activities, including profiling, and on which decisions are based that have legal effects, or similar significant effects, on data subjects; (2) large-scale processing of special category personal data or criminal convictions personal data; and (3) large-scale systematic monitoring of publicly accessible areas, e.g. using CCTV. The Information Commissioner’s Office also requires you to do a DPIA if you plan to: (1) collect personal data from a source other than the data subject without providing them with a privacy notice (in combination with any of the criteria from the Guidelines on Data Protection Impact Assessment”); (2) track individuals’ location or behaviour, including online (in combination with any of the guidelines criteria); (3) process data that might endanger the data subject’s physical health or safety in the event of a security breach; (4) use innovative technology (in combination with any of the guidelines criteria); (5) profile individuals on a large scale; (6) use profiling or special category data to decide on access to services, products or benefits; (7) process biometric or genetic data (in combination with any of the guidelines criteria); (8) match data or combine datasets from multiple sources; or (9) profile children or other vulnerable individuals or target marketing or online services at them. The guidelines then set out nine criteria which may act as indicators of likely high-risk processing. These lists aren’t exhaustive. However, a DPIA won’t be required where the processing is low risk. You also need to review existing processing operations and decide whether you need to do a DPIA for anything that is likely to be high risk. If you decide not to carry out a DPIA when considering a new technology, process or system, do document why.

DPIA contents

A DPIA must, as a minimum, contain:

  • a systematic description of the proposed processing operations and the purposes of the processing, including, where applicable, the legitimate interests you’re pursuing
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address the risks, including appropriate safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the UK GDPR.

Our GDPR Data Protection Impact Assessment provides a framework for you to conduct a DPIA before proceeding with a new technology, process or system where the processing operations are potentially high risk. It’s intended only as a starting point and you’ll need to amend or expand it depending on the nature and scope of your new technology, process or system. Our assessment draws together the information you’ve gathered through the DPIA process, documents the outcome of the DPIA and records the actions to be taken as a result. Once you’ve completed your DPIA, keep it under regular review, e.g. at least every three years.