Data Protection Impact Assessments and the GDPR

What is a DPIA (data protection impact assessment)?

A DPIA is a type of risk assessment. It helps you identify and minimise risks relating to personal data processing activities. DPIAs are also sometimes known simply as PIAs (privacy impact assessments.

The EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing.

For instance, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.

You should also conduct one when introducing new data processing processes, systems or technologies.

Why are DPIAs important?

DPIAs are a useful way of ensuring the efficiency – and cost-effectiveness – of the security measures you implement.

A risk-based approach ensures you do not waste resources attempting to mitigate threats that are unlikely to occur or will have little effect.

Not carrying out a DPIA when required could leave you open to enforcement action from the ICO (Information Commissioner’s Office). This could include a fine of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Regular DPIAs also support the GDPR’s accountability principle, helping your organisation prove its compliance with the Regulation.

DPIA solutions

DPIA assessment tool

DPIA Tool

Quickly determine whether a DPIA is required and simplify the entire DPIA process with this tool.

Aligned with the GDPR, the DPIA Tool simplifies the risk assessment process, so you can easily review, update and maintain your DPIA whenever needed.

Buy now   

DPIA training workshop

DPIA Training Workshop

This one-day workshop teaches attendees how to perform a DPIA in line with the DPA 2018 and the EU GDPR.

Book now

DPIA consultancy service

DPIA consultancy service

Get an on-site, expert assessment of the risks associated with your data processing activities with our fixed-price DPIA consultancy service. 

Find out more

GDPR toolkit

GDPR Toolkit

Ensure your GDPR compliance with IT Governance’s market-leading GDPR documentation toolkit. It contains a complete set of easy-to-use documentation templates, including a DPIA template and DPIA tool.

Buy now

When must you conduct a DPIA?

Article 35 of the GDPR requires organisations to carry out a DPIA when data processing is likely to result in a high risk to data subjects, particularly if you plan to:

  • Use systematic and extensive profiling with significant effects;
  • Process special category or criminal offence data on a large scale; or
  • Systematically monitor publicly accessible places on a large scale.

The ICO's screening checklist will help you decide whether to carry out a DPIA.

European DPIA guidelines

The WP29 (Article 29 Working Party)’s guidelines on data protection impact assessments have been adopted by its replacement, the EDPB (European Data Protection Board).

The more of their criteria are met, the more likely a DPIA will be required.

Read the WP29 guidelines on DPIAs

DPIAs and privacy by design

You should conduct a DPIA as early as possible in a project’s lifecycle. That way, its findings and recommendations can be incorporated into the design of the processing operation rather than added on afterwards.

This privacy-by-design approach can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing problems early will often be easier and cheaper.
  • Awareness of privacy and data protection will be increased across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to have a negative impact on individuals.

How to conduct a DPIA

The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.

The ICO provides the following guidance on the DPIA process:

1. Identify the need for a DPIA

2. Describe the data processing

3. Consultation

4. Assess necessity and proportionality

5. Identify and assess risks

6. Identify measures to mitigate the risks

7. Sign off and record outcomes

Who should conduct a DPIA?

Data controllers are responsible for ensuring DPIAs are carried out.

The DPIA should be conducted by those with appropriate expertise and knowledge of the project in question – normally the project team.

Under the GDPR, it is necessary for any organisation with a designated DPO to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Find out more about outsourcing when conducting a DPIA.

This website uses cookies. View our cookie policy