Data protection impact assessments—DPIAs
Data protection impact assessments—DPIAs

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Data protection impact assessments—DPIAs
  • What is a data protection impact assessment?
  • Is it compulsory to conduct a DPIA?
  • Voluntary DPIA
  • At what stage of a project should you conduct a DPIA?
  • Who should conduct the DPIA?
  • How to conduct a DPIA
  • Consultation with the ICO
  • The need for ongoing assessment
  • Consequences of failing to conduct a DPIA

A data protection impact assessment (DPIA) does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals. Historically, DPIAs were called privacy impact assessments (PIAs). The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 uses the term DPIA but the concepts are the same.

This Practice Note explains:

  1. what a DPIA is

  2. whether you have to conduct DPIAs, and if so

  3. who should conduct the assessment, and

  4. how

Precedent: Data protection impact assessment—GDPR compliant reflects the requirements of the GDPR. See also Precedent: Data protection impact assessment—DPIA—short form which is based on a template issued by the Information Commissioner’s Office (ICO).

The ICO guidance on DPIAs can be found in two locations: Guide to the GDPR, Accountability and governance, Data protection impact assessments and Data Protection Impact Assessments (DPIAs).

What is a data protection impact assessment?

A DPIA is a tool that can help you:

  1. identify and minimise the data protection risks of new projects, and

  2. meet individuals’ expectations of privacy

Generally, a DPIA is conducted at the start of a project that could have data protection or privacy implications, eg rolling out a new document management or HR system. Done properly, the DPIA will enable you to:

  1. systematically and thoroughly analyse how the project will affect individuals’ privacy, and

  2. ensure