Data protection impact assessment (DPIA) checklist

Read the Data Protection Impact Assessment (DPIA) to make sure it meets your needs. Remember that if you have any questions you can easily Ask a lawyer.

If any risks with an overall risk level of medium or high have been identified, the completed DPIA should be provided to your organisation’s data protection officer (DPO), where one exists. The DPO should then advise on whether your data processing is compliant and can go ahead. If the DPO’s advice is not followed, the reasons for this need to be recorded in the DPIA.

Where a risk with an overall high risk level cannot be mitigated or eliminated, you should consult with the Information Commissioner’s Office (ICO) before any data processing can begin. The ICO will give written advice within 8 weeks (or 14 weeks in complex cases). 

For more information, read Data protection impact assessments.

While not necessary, it is considered to be good practice to publish finalised DPIAs to abide by transparency and accountability obligations. Doing this can increase trust in your organisation’s data processing activities and facilitate and improve individuals’ abilities to exercise their rights in relation to personal data.

Once finalised, the outcomes of the DPIA should be integrated into the project plan, with any action points clearly being identified and assigned to the party responsible for implementing them (eg under the usual project-management process).

You should continuously monitor the ongoing performance of the DPIA as it may be necessary to carry out another assessment before the project plans are finalised. 

You should also bear in mind that a DPIA may need to be repeated if there is a substantial change to the nature, scope, context or purposes of your data processing.

For more information, read Data protection impact assessments.

Your organisation should keep the original DPIA.

A copy of the DPIA will also be stored automatically in your Rocket Lawyer account ‘Dashboard’.