Get a quote
Consultancy
 › Privacy Impact Assessment PIA

Data Protection Impact Assessments and the GDPR

GRC Wave Graphics

What is a DPIA (data protection impact assessment)?

What is a DPIA (data protection impact assessment)?

The GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing. This ensures that you can mitigate data protection risks.

For instance, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.

You should also conduct one when introducing new data processing processes, systems or technologies.

Looking for comprehensive guidance and practical advice on complying with the GDPR? Read our bestselling Implementation and Compliance Guide.

GRC Wave Graphics

Why are DPIAs important?

DPIAs are a useful way of ensuring the efficiency – and cost-effectiveness – of the security measures you implement.

A risk-based approach ensures you do not waste resources attempting to mitigate threats that are unlikely to occur or will have little effect.

When required, not carrying out a DPIA could leave you open to enforcement action from the ICO (Information Commissioner’s Office) – the UK’s data protection authority. This could include a fine of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Regular data privacy impact assessments also support the GDPR’s accountability principle. This helps your organisation prove its compliance with the Regulation – both to the supervisory authority and other stakeholders.

DPIA solutions

DPIA Training Workshop

This one-day workshop teaches attendees to perform a DPIA in line with the GDPR and DPA 2018.

GDPR DPIA Service

Get an on-site, expert assessment of the risks associated with your data processing activities with our fixed-price DPIA consultancy service.

DPIA Tool

Quickly determine whether a DPIA is required and simplify the entire DPIA process with this tool.

GDPR Compliance

Ensure your GDPR compliance with GRC Solutions market-leading GDPR documentation toolkit. It contains a complete set of easy-to-use documentation templates, including a DPIA template and DPIA tool.

When must you conduct a DPIA?

Article 35 of the GDPR requires organisations to carry out a DPIA when data processing is likely to result in a high risk to data subjects. This especially applies if you plan to:
  • Use systematic and extensive profiling with significant effects.
  • Process special category or criminal offence data on a large scale.
  • Systematically monitor publicly accessible places on a large scale.

The ICO’s screening checklist will help you decide whether to carry out a DPIA.

European data protection impact assessment guidelines

The WP29's (Article 29 Working Party)’s guidelines on DPIAs have been adopted by its replacement, the EDPB (European Data Protection Board). The more criteria are met, the more likely a DPIA will be required.
Read the guidelines on DPIAs

DPIAs and privacy by design

You should conduct a DPIA as early as possible in a project’s lifecycle. That way, its findings and recommendations can be incorporated into the processing operation's design rather than added on afterwards.
  • Potential problems are identified at an early stage.
  • Addressing issues early will often be easier and cheaper.
  • Awareness of privacy and data protection will be increased across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to have a negative impact on individuals.

How to conduct a DPIA

The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.

  • Consult your DPO (data protection officer) if you have one.
  • Check whether your processing requires a DPIA.
  • Use the ICO screening checklist.
  • If you decide a DPIA is not necessary, record your decision and the reasons for it.
  • If you decide a DPIA is required, proceed to step 2.

Document the nature, scope, context and purpose of the processing, including:

  • How you collect, store and use the data.
  • Who the data is shared with.
  • Security measures you will use to protect the data.
  • The nature, volume, variety and sensitivity of the data.
  • The extent, frequency and duration of the processing.
  • The number of data subjects involved.
  • Where you obtained their data.
  • Whether any of the data subjects are children or other vulnerable people.
  • Your legitimate interests, where relevant.

  • Obtain and record the views of individuals or their representatives unless there is a good reason not to. This might include a general public consultation.
  • Ask data processors for assistance, where necessary.
  • Consult relevant internal stakeholders, such as security teams.
  • Seek independent external advice, such as legal advice, where appropriate.

Consider and record:

  • Whether your plans help achieve your purpose; and
  • If the same result could be achieved any other way.

Include details of how you will ensure compliance with the GDPR’s data processing principles, including:

  • Your lawful basis for processing;
  • How you will provide data subjects with privacy information.
  • How you will enable data subjects’ rights.
  • Any measures to ensure data processors comply with the law.

Consider how data subjects will be affected by your data processing. The impacts of processing might include:

  • Financial loss or economic disadvantage.
  • Restrictions on the data subject’s ability to access services or opportunities. or
  • Social impacts.

Also think about how they might be affected by different types of data breaches, such as:

  • Illegitimate access to personal data.
  • Loss or modification of personal data.

Evaluate the likelihood and severity of security risks and whether they fall within acceptable levels.

 Learn more about information security risk assessments

For each risk you have identified, record its source and consider options for reducing it. For instance:

  • Reducing the data retention period.
  • Implementing additional technical security measures.
  • Anonymising or pseudonymising data.

  • Record how each risk has been treated and the level of residual risk.
  • If there are still high risks you cannot mitigate, you should consult the ICO before you start processing.

After signing off, you should integrate the DPIA’s outcomes into your project plan and monitor its ongoing performance.

GRC Wave Graphics

Who should conduct a DPIA?

Data controllers are responsible for ensuring DPIAs are carried out.

The DPIA should be conducted by those with appropriate expertise and knowledge of the project, usually the project team.

Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Find out more about outsourcing when conducting a DPIA