Data protection impact assessment

Copyright © 2025 LexisNexis

A data protection impact assessment (DPIA) does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals.

For tools and guidelines on conducting a DPIA, see Precedents:

  1. Data protection impact assessment—DPIA and Data protection impact assessment—DPIA—short form

  2. Data protection impact assessment—DPIA—report

  3. Data protection impact assessment—consultation form

  4. Data protection impact assessment—consultation feedback form

The ICO guidance on DPIAs can be found in two locations: UK GDPR guidance and resources, Accountability and governance, Guide to accountability and governance, Data protection impact assessments and UK GDPR guidance and resources, Accountability and governance, Data Protection Impact Assessments (DPIAs).

What is a data protection impact assessment?

A DPIA is a tool that can help you:

  1. identify and minimise the data protection risks of new projects, and

  2. meet individuals’ expectations of privacy

Generally, a DPIA is conducted at the start of a project that could have data protection or privacy implications, eg rolling out a new document management or HR system. The DPIA will enable you to:

  1. systematically and thoroughly analyse

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

FATF announces new mutual evaluation framework to strengthen global illicit finance defences

The Financial Action Task Force (FATF) has convened  its annual high-level meeting with the nine FATF-Style Regional Bodies (FSRBs) in Strasbourg, announcing the implementation of new mutual evaluations. The Global Network, comprising the FATF and nine FSRBs, representing over 200 jurisdictions, remains committed to combating illicit finance through a unified set of standards and mutual evaluations. The meeting focused on implementing Global Network priorities, particularly preparing members for the upcoming mutual evaluations, which will prioritise effectiveness in tackling money laundering, terrorist financing and proliferation risks. All FSRBs aim to complete their first evaluations by late 2026 or early 2027. Additionally, significant emphasis was placed on fostering peer learning, experience sharing and strengthened cohesion within the Global Network, a key priority under the Mexican Presidency.

Risk & Compliance weekly highlights—19 June 2025

This week's edition of Risk & Compliance weekly highlights includes: the latest Risk & Compliance forecast, notable financial sanctions updates, legislative progress with the Data (Use and Access) Bill, and key developments in FATF standards and SFO funding.

New Risk & Compliance forecast as at 17 June 2025

Our new Risk & Compliance forecast (as at 17 June 2025) is now live. This month we report on items including (1) FATF actions following the conclusion of recent consultations; (2) the Crime and Policing Bill's report stage and third reading scheduled for 17-18 June; and (3) the LSB's refined guidance on meeting the new economic crime regulatory objective.

OFSI publishes guidance on sanctions compliance threats for art market and high-value goods

The Office of Financial Sanctions Implementation (OFSI) has published guidance assessing threats to UK financial sanctions compliance in the art market and high-value goods sector. The document forms part of OFSI's sector-specific assessment series and aims to help stakeholders prioritise compliance risks. The 23-page assessment provides information on suspected sanctions breaches to support organisations in implementing risk-based compliance approaches.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an
Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an