Profile information Account settings
Logout
Sign up Log in

MAKE YOUR FREE Data protection impact assessment (DPIA)

  • Make your document in minutes
  • Access from any device
  • Securely sign online
Make document

How to make a Data protection impact assessment (DPIA)

Create a data protection impact assessment (DPIA) to identify and minimise the data protection risks of a project that you are undertaking. Complete this DPIA template if you are processing (eg obtaining or recording) personal data (eg names or information about physical or mental health) which is likely to result in a high risk to the rights and freedoms of individuals.

Recently reviewed by Lauren Delin, Solicitor.

This data protection impact assessment was last reviewed on 11 January 2022.

A DPIA is a process designed to help organisations (often known as ‘data controllers’) identify and minimise the data protection risks of a project. It’s an essential component of an organisation’s accountability obligation under the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 and helps organisations assess and demonstrate how they comply with their data protection obligations.

Use this DPIA:

  • if are undertaking a project that involves the processing of personal data 

  • if the processing is likely to result in a high risk to the rights and freedoms of individuals

  • where personal data is not being transferred outside of  England, Wales or Scotland

This DPIA covers:

  • project details

  • who the data subjects (ie the individuals the data relates to) are

  • the nature, scope, context and purposes of the processing

  • details of any internal stakeholder and/or external expert  consultations

  • the necessity, proportionality and compliance measures of the processing

  • the identification and assessment of any risks to individuals

  • the identification of any additional measures to reduce or eliminate any risks

DPIAs need to be completed where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.

For more information on when processing is likely to result in a high risk to the rights and freedoms of individuals, read Data protection impact assessments.

Generally, a DPIA should be considered whenever you intend to undertake a project involving the use of personal data. A DPIA should also be considered whether you plan to carry out any other:

  • evaluation or scoring (eg a financial institution screening customers against a credit reference or an anti-money laundering database)

  • automated decision-making with significant effects (eg processing that may lead to the exclusion or discrimination of individuals)

  • systematic monitoring (ie processing used to observe, monitor or control data subjects, including data collected through networks or the systematic monitoring of a publicly accessible area)

  • processing of sensitive personal data or data of a highly personal nature (eg hospitals keeping patients’ medical records or private investigators keeping offenders’ details)

  • processing on a large scale (large scale either due to the  number of data subjects concerned, the volume of data, the duration/performance of the processing or the geographical extent of the processing activity)

  • processing of personal data concerning vulnerable data subjects (eg children, employees and vulnerable individuals requiring special protection)

  • innovative technological/organisational solutions (eg certain ‘Internet of Things’ applications, with an impact on individuals’ daily lives and privacy)

  • processing that involves preventing data subjects from exercising a right or using a service or contract (eg banks screening customers against a credit reference database when deciding whether to offer them a loan)

Under the GDPR, a DPIA should always be carried out when you plan to:

  • use systematic and extensive profiling or automated decision-making to make significant decisions about people (eg employers monitoring staff internet habits to ensure they aren’t using it for illicit purposes)

  • process special category or criminal offence data on a large scale

  • systematically monitor a publicly accessible place on a large scale (eg use of CCTV of public spaces)

  • involve the use of new technologies, or the novel application of existing technologies, for data processing (eg artificial intelligence, machine learning and deep learning)

  • use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit (eg credit card or mortgage checks)

  • carry out profiling on a large scale (eg data processed by smart meters)

  • process biometric data to uniquely identify an individual (eg facial recognition systems)

  • process genetic data, other than by an individual GP/health professional providing health care to the data subject (eg DNA testing)

  • combine, compare or match data from multiple sources (eg direct marketing)

  • processes personal data involving tracking an individual’s geolocation or behaviour (eg web- and cross-device tracking)

  • process children’s/vulnerable individuals’ personal data for marketing, profiling for automated decision making or the offer of online services (eg toys connected to the internet)

  • process personal data that could result in a risk of physical harm in the event of a security breach

For more information, read Data protection impact assessments and the Information Commissioner’s Office (ICO) list of examples of data processing that will (likely) require a DPIA.

Before you carry out your DPIA you should consider:

  • what data is being processed and why (this is the aim of the project)

  • if the data processing is likely to result in a high risk to the data subjects

  • what the benefits of you processing the data are (ie consider the benefits for you and society as a whole)

  • how you will ensure that individuals’ rights in relation to their data will be implemented and supported

  • any potential risks associated with your processing of the data, and how these could be reduced or eliminated

  • whether you can achieve the same result in any other way (especially if that way may be less intrusive)

Consider familiarising yourself with the DPIA process by reading the following:

Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).

There is a further 'special category' of 'sensitive personal data' which is awarded greater protection under the law and includes information about:

  • racial or ethnic origin

  • political opinions

  • religious or similar beliefs

  • trade union membership

  • physical or mental health or condition

  • sexual life

  • biometrics (eg fingerprint data/facial images) and genetics

While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls. 

Due to the sensitive nature of special category personal data and criminal offence data, further conditions for processing need to be met and recorded in a DPIA. See Compliance for DPIAs for more information.

For more information on personal data, read Data protection.

You will only be able to process personal data if you have a lawful basis for doing so. DPIAs should set out which lawful ground(s) for processing you are relying on, including if the:

  • data subject has consented to the processing

  • processing is necessary for the performance of a contract

  • processing is necessary to comply with the law 

  • processing is necessary to protect someone’s ‘vital interests’

  • processing is necessary for the performance of a task in the public interest or the organisation’s official functions

  • processing is necessary for the organisation’s or a third party’s legitimate interests (a legitimate interest assessment will need to be carried out)

For more information on the grounds for processing, read Compliance for DPIAs.

In addition to having a lawful basis for processing, to process special category sensitive data further conditions for processing need to be met and recorded in your DPIA, including if:

  • the data subject has explicitly consented to the processing

  • the processing is necessary for you to carry out your obligations and exercise specific rights in the field of employment and social security and social protection law

  • the processing is necessary to protect the vital interest of a data subject or another person and the data subject is incapable of giving consent

  • you are a not-for-profit body processing special category data as part of your legitimate activities

  • the processing relates to personal data that has been made public by the data subject

  • the processing is concerning legal claims or judicial acts

  • the processing is necessary for reasons of substantial public interest

  • the processing is necessary for health or social care purposes

  • the processing is necessary due to public interest in public health

  • the processing is necessary for statistical or archiving purposes, scientific or historical research purposes and is in the public interest

For more information on these further conditions for processing, read Compliance for DPIAs. Note that if you wish to process special category sensitive data for reasons of substantial public interest, you will need to meet further ‘associated conditions’. For more information on this, read Substantial public interest for DPIAs.

To process criminal offence data, in addition to having a lawful basis for processing, you need to show that you are processing the data under the control of official authority or authorised to process the data under UK law.

Processing under the control of official authority means that you have the authority to process criminal offence data under the law, and you must be able to point to a specific law that provides you with such authority. Generally, public bodies (and private bodies given public sector tasks) may have such authority to process. For example, the courts have specific official authority to process criminal offence data.

If you are not processing under the control of official authority, you can only process criminal offence data if you are authorised to do so by UK law.  This means that one of the 28 conditions set out in the Data Protection Act 2018 needs to be met. These 28 conditions include but are not limited to, processing criminal offence data for reasons of fraud prevention, suspicion of terrorist financing or money laundering and insurance.

For more information, read Compliance for DPIAs and Criminal offence data for DPIAs.

In certain situations, an Appropriate policy document (APD) will need to be in place before you process special category sensitive data or criminal offence data. An APD is a document outlining the organisation’s compliance measures and retention policies for these types of data.

For more information on when an APD is needed, read Appropriate policy documents.

If, while carrying out your DPIA, you identify any risks with a high overall (residual) risk level and you cannot mitigate these risks, you must consult with the ICO. You cannot proceed with your processing of the data until after you have done this. The ICO will generally give written advice within 8 weeks, but this may be extended. Read Data protection impact assessments for more information.

The project is the reason why you are processing the personal data. In your DPIA you should provide detailed information on why you want to carry out the project and what types of data processing this involves. Where possible, you should link to any project plan that exists.

Once completed, the ongoing performance of the DPIA should be kept under review and monitored as it may be necessary to carry out another assessment before the project plans are finalised. Bear in mind that it may be necessary to carry out a new DPIA if there is a substantial change to the nature, scope, context or purposes of the data processing. Read Data protection impact assessments for more information.

Ask a lawyer for advice if:

  • you have any questions about DPIAs

  • this document doesn’t meet your specific needs

  • you are transferring data outside England, Wales or Scotland

This DPIA is governed by the law of England, Wales and Scotland.

Other names for Data protection impact assessment (DPIA)

DPIA, Privacy impact assessment, PIA.