GDPR – Six key stages of the data protection impact assessment (DPIA)

The DPIA is one of the specific processes mandated by the General Data Protection Regulation (GDPR). Organisations must carry out a DPIA where a planned or existing processing operation –“is likely to result in a high risk to the rights and freedoms of individuals”. DPIAs are particularly relevant to taking a privacy-by-design approach when introducing a new data processing system or technology. A DPIA helps organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a data breach.

Six key stages of the DPIA

DPIAs are scalable in length and scope, depending on the privacy risks and impact of the processing operation.

The key stages of the DPIA are:

  1. Identify the need for the DPIA – determine whether the inherent risks of the processing operation require you to undertake a DPIA.
  2. Describe the information flow – be able to describe how the information within the processing operation is collected, stored, used and deleted.
  3. Identify privacy and related risks – catalogue the range of threats, and their related vulnerabilities, to the rights and freedoms of individuals whose data you collect and/or process.
  4. Identify and evaluate privacy solutions – for each identified risk to the personal data, make a ‘risk decision’, i.e. whether to accept or reject the risk, whether to transfer it or take steps to reduce the impact or likelihood of the threat successfully exploiting the vulnerability.
  5. Sign off and record the DPIA outcomes – record the outcomes of the DPIA (steps 1-4) in a report that is signed off by whoever is responsible for those decisions. Where a high risk has been identified, the organisation must submit the DPIA to the regulatory authority for consultation.
  6. Integrate the DPIA outcomes into the project plan – you will need to continually refer to the DPIA in order to ensure that it is being followed and that its responses to the risks have been implemented effectively.

Data Protection Impact Assessment (DPIA) Workshop

GDPR DPIA WorkshopTo help you get started immediately, we recommend that you attend our Data Protection Impact Assessment (DPIA) Workshop, a one-day classroom session designed to provide delegates with the practical knowledge to deliver effective DPIAs. It costs just £495 plus VAT, and the next sessions are in London on 26 February 2018 and Manchester 13 February 2018.

Book your place now >>




  1. Mark Johnson 4th July 2017
  2. Mark Smyth-Roberts 4th July 2017
  3. Madhusudan singh 7th February 2018