At a glance
- A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
- You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. You can use our screening checklist to help you decide when to do a DPIA.
- It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
- Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- You should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. Processors may need to assist.
- If you identify a high risk and you cannot mitigate that risk, you must consult the ICO before starting the processing.
- The ICO will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases we may issue a formal warning not to process the data, or ban the processing altogether.
DPIA awareness checklist
- We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.
- Our existing policies, processes and procedures include references to DPIA requirements.
- We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA where necessary.
- We have created and documented a DPIA process.
- We provide training for relevant staff on how to carry out a DPIA.
DPIA screening checklist
We always carry out a DPIA if we plan to:
- Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
- Process special category data or criminal offence data on a large scale.
- Systematically monitor a publicly accessible place on a large scale.
- Use new technologies.
- Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
- Carry out profiling on a large scale.
- Process biometric or genetic data.
- Combine, compare or match data from multiple sources.
- Process personal data without providing a privacy notice directly to the individual.
- Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
- Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
- Process personal data which could result in a risk of physical harm in the event of a security breach.
- We consider carrying out a DPIA if we plan to carry out any other:
- Evaluation or scoring.
- Automated decision-making with significant effects.
- Systematic monitoring.
- Processing of sensitive data or data of a highly personal nature.
- Processing on a large scale.
- Processing of data concerning vulnerable data subjects.
- Innovative technological or organisational solutions.
- Processing involving preventing data subjects from exercising a right or using a service or contract.
- If we decide not to carry out a DPIA, we document our reasons.
- We consider carrying out a DPIA in any major project involving the use of personal data.
- We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
DPIA process checklist
- We describe the nature, scope, context and purposes of the processing.
- We ask our data processors to help us understand and document their processing activities and identify any associated risks.
- We consider how best to consult individuals (or their representatives) and other relevant stakeholders.
- We ask for the advice of our data protection officer.
- We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance.
- We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
- We identify measures we can put in place to eliminate or reduce high risks.
- We record the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
- We implement the measures identified, and integrate them into our project plan.
- We consult the ICO before processing if we cannot mitigate high risks.
- We keep our DPIAs under review and revisit them if necessary.
What’s new under the GDPR?
The GDPR introduces a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk which you cannot mitigate, you must consult the ICO.
This is a key element of the new focus on accountability and data protection by design, and a more risk-based approach to compliance.
Some organisations will already carry out privacy impact assessments (PIAs) as a matter of good practice. If so, you will need to review your processes to make sure they comply with GDPR requirements. The big changes are that DPIAs are now mandatory in some cases, and there are specific requirements for content and process.
If you have not already got a PIA process, you will need to design a new DPIA process and embed this into your organisational policies and procedures.
In the run-up to 25 May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA for anything which is likely to be high risk. You will not need to do a DPIA if you have already considered the relevant risks and safeguards, unless there has been a significant change to the nature, scope, context or purposes of the processing.
What is a DPIA?
A DPIA is a process to systematically analyse your processing and help you identify and minimise data protection risks. It must:
- describe the processing and your purposes;
- assess necessity and proportionality;
- identify and assess risks to individuals; and
- identify any measures to mitigate those risks and protect the data.
It does not have to eradicate the risk, but should help to minimise risks and consider whether or not they are justified.
You must do a DPIA for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability more generally and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and should be seen as an ongoing process, kept under regular review.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – whether physical, material or non-material – to individuals or to society at large.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. It should look at risk based on the specific nature, scope, context and purposes of the processing.
When do we need to do a DPIA?
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although the actual level of risk has not been assessed yet, you need to screen for factors which point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
The ICO also requires you to do a DPIA if you plan to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
You should also think carefully about doing a DPIA for any other processing which is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do we carry out a DPIA?
A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.
The process is designed to be flexible and scalable. You can use or adapt ICO’s sample DPIA template, or create your own. If you want to create your own, you may want to refer to the European guidelines which set out Criteria for an acceptable DPIA(external link).
We recommend that you publish your DPIAs, with sensitive details removed if necessary.
Do we need to consult the ICO?
If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.
The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.
You need to complete ICO’s online form and submit a copy of your DPIA.
Once we have the information we need, we will generally respond within eight weeks (although we can extend this by a further six weeks in complex cases).
We will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases we may advise you not to carry out the processing because we consider it would be in breach of the GDPR. In appropriate cases we may issue a formal warning or take action to ban the processing altogether.
The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
The working party has published Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248).
Other relevant guidelines include:
Thank you for reading.