What is a DPIA (data protection impact assessment)?
A DPIA is a type of risk assessment. It helps you identify and minimise risks relating to personal data processing activities. DPIAs are also sometimes known as PIAs (privacy impact assessments).
The GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing. This ensures that you can mitigate data protection risks.
For instance, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.
You should also conduct one when introducing new data processing processes, systems or technologies.
Looking for comprehensive guidance and practical advice on complying with the GDPR? Read our bestselling Implementation and Compliance Guide.
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
Why are DPIAs important?
DPIAs are a useful way of ensuring the efficiency – and cost-effectiveness – of the security measures you implement.
A risk-based approach ensures you do not waste resources attempting to mitigate threats that are unlikely to occur or will have little effect.
When required, not carrying out a DPIA could leave you open to enforcement action from the ICO (Information Commissioner’s Office) – the UK’s data protection authority. This could include a fine of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.
Regular data privacy impact assessments also support the GDPR’s accountability principle. This helps your organisation prove its compliance with the Regulation – both to the supervisory authority and other stakeholders.
When must you conduct a DPIA?
Article 35 of the GDPR requires organisations to carry out a DPIA when data processing is likely to result in a high risk to data subjects. This especially applies if you plan to:
- Use systematic and extensive profiling with significant effects.
- Process special category or criminal offence data on a large scale.
- Systematically monitor publicly accessible places on a large scale.
The ICO's screening checklist will help you decide whether to carry out a DPIA.
European data protection impact assessment guidelines
The WP29's (Article 29 Working Party)’s guidelines on DPIAs have been adopted by its replacement, the EDPB (European Data Protection Board).
The more criteria are met, the more likely a DPIA will be required.
Read the WP29 guidelines on DPIAs
DPIAs and privacy by design
You should conduct a DPIA as early as possible in a project’s lifecycle. That way, its findings and recommendations can be incorporated into the processing operation's design rather than added on afterwards.
This privacy-by-design approach can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing issues early will often be easier and cheaper.
- Awareness of privacy and data protection will be increased across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to have a negative impact on individuals.
How to conduct a DPIA
The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.
The ICO provides the following guidance on the DPIA process:
1. Identify the need for a DPIA
- Consult your DPO (data protection officer) if you have one.
- Check whether your processing requires a DPIA.
- Use the ICO screening checklist.
- If you decide a DPIA is not necessary, record your decision and the reasons for it.
- If you decide a DPIA is required, proceed to step 2.
2. Describe the data processing
Document the nature, scope, context and purpose of the processing, including:
- How you collect, store and use the data.
- Who the data is shared with.
- Security measures you will use to protect the data.
- The nature, volume, variety and sensitivity of the data.
- The extent, frequency and duration of the processing.
- The number of data subjects involved.
- Where you obtained their data.
- Whether any of the data subjects are children or other vulnerable people.
- Your legitimate interests, where relevant.
- Obtain and record the views of individuals or their representatives unless there is a good reason not to. This might include a general public consultation.
- Ask data processors for assistance, where necessary.
- Consult relevant internal stakeholders, such as security teams.
- Seek independent external advice, such as legal advice, where appropriate.
4. Assess necessity and proportionality
Consider and record:
- Whether your plans help achieve your purpose; and
- If the same result could be achieved any other way.
Include details of how you will ensure compliance with the GDPR’s data processing principles, including:
- Your lawful basis for processing;
- How you will provide data subjects with privacy information.
- How you will enable data subjects’ rights.
- Any measures to ensure data processors comply with the law.
5. Identify and assess risks
Consider how data subjects will be affected by your data processing. The impacts of processing might include:
- Financial loss or economic disadvantage.
- Restrictions on the data subject’s ability to access services or opportunities. or
- Social impacts.
Also think about how they might be affected by different types of data breaches, such as:
- Illegitimate access to personal data.
- Loss or modification of personal data.
Evaluate the likelihood and severity of security risks and whether they fall within acceptable levels.
Learn more about information security risk assessments
6. Identify measures to mitigate the risks
For each risk you have identified, record its source and consider options for reducing it. For instance:
- Reducing the data retention period.
- Implementing additional technical security measures.
- Anonymising or pseudonymising data.
7. Sign off and record outcomes
- Record how each risk has been treated and the level of residual risk.
- If there are still high risks you cannot mitigate, you should consult the ICO before you start processing.
After signing off, you should integrate the DPIA’s outcomes into your project plan and monitor its ongoing performance.
Who should conduct a DPIA?
Data controllers are responsible for ensuring DPIAs are carried out.
The DPIA should be conducted by those with appropriate expertise and knowledge of the project, usually the project team.
Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Find out more about outsourcing when conducting a DPIA.