Data protection impact assessments—DPIAs
Data protection impact assessments—DPIAs

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Data protection impact assessments—DPIAs
  • What is a data protection impact assessment?
  • Is it compulsory to conduct a DPIA?
  • Voluntary DPIA
  • At what stage of a project should you conduct a DPIA?
  • Who should conduct the DPIA?
  • How to conduct a DPIA
  • Consultation with the ICO
  • The need for ongoing assessment
  • Consequences of failing to conduct a DPIA

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

A data protection impact assessment (DPIA) does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals. Historically, DPIAs were called privacy impact assessments (PIAs). The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 uses the term DPIA but the concepts are the same.

This Practice Note explains:

  1. what a DPIA is

  2. whether you have to conduct DPIAs, and if so

  3. who should conduct the assessment, and

  4. how

Precedent: Data protection impact assessment—GDPR compliant reflects the requirements of the GDPR. See also Precedent: Data protection impact assessment—DPIA—short form which is based on a template issued by the Information Commissioner’s Office (ICO).

The ICO guidance on DPIAs can be found in two locations: Guide to the GDPR, Accountability and governance, Data protection impact assessments and Data Protection Impact Assessments