This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Data Protection Impact Assessments under the GDPR

What is a DPIA (data protection impact assessment)?

Under the GDPR (General Data Protection Regulation), DPIAs should be used to evaluate risks to the rights and freedoms of data subjects that result from data processing. They are particularly relevant when introducing new data processing processes, systems or technologies.

DPIAs also support the GDPR’s accountability principle, helping organisations prove that they have taken appropriate technical and organisational measures, as required.

Failing to adequately conduct a DPIA where mandated constitutes a breach of the GDPR and could lead to administrative fines of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Read more about the fines and penalties under the GDPR >>

Key elements of a successful DPIA

The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing working practices.

Whichever methodology you use, your DPIA will typically consist of the following steps:

  1. Identify the need for a DPIA
  2. Describe the information flow
  3. Identify data processing and related risks
  4. Identify solutions to reduce or eliminate these risks
  5. Sign off the outcomes of the DPIA
  6. Integrate data protection solutions into the project

When should you conduct a DPIA?

The GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:

  1. A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  2. Processing of special categories of data or personal data relating to criminal convictions and offences on a large scale.
  3. Systematic monitoring of a publicly accessible area on a large scale.

Examples of personal data processing where a DPIA is likely to be required:

  • A hospital processing its patients’ genetic and health data on its information system.
  • The archiving of pseudonymised sensitive data from research projects or clinical trials.
  • An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
  • An organisation systematically monitoring its employees’ activities, including their workstations and Internet activity.
  • The gathering of public social media data for generating profiles.
  • An institution creating a national-level credit rating or fraud database.

The WP29 (Article 29 Working Party), which has now been replaced by the EDPB (European Data Protection Board), was responsible for issuing guidelines and opinions on aspects of the GDPR. Its guidelines on DPIAs set out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria are met, the more likely processing is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.

Read the WP29 guidance on DPIAs >>

DPIAs and privacy by design

A DPIA should be conducted as early as possible in the project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.

Known as privacy by design, the embedding of data privacy features in the design of projects can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing problems early will often be easier and cheaper.
  • Increased awareness of privacy and data protection across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.

Who should be involved in conducting a DPIA?

Data controllers are responsible for ensuring the DPIA is carried out.

The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team.

The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team.

Find out more about outsourcing when conducting a DPIA >>

Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Our solutions to help you conduct a DPIA

The DPIA Tool helps organisations determine whether they should conduct a DPIA and, if they should, helps them produce a comprehensive assessment in line with the GDPR’s requirements.

IT Governance’s solutions can help you fill the gaps in your GDPR compliance with training and consultancy solutions.



Speed up and simplify the DPIA (data protection impact assessment) process and ensure compliance with a key GDPR requirement.

The DPIA Tool helps organisations determine whether they should conduct a DPIA and, if they should, helps them produce a comprehensive assessment in line with the GDPR’s requirements.

DPIA Workshop

DPIA Workshop

This 1 day workshop will teach you when and how to conduct a DPIA under the GDPR.

It has been designed to provide attendees with the practical knowledge they need in order to perform a DPIA that will minimise privacy risks and comply with the GDPR.

DPIA consultancy service

Book our fixed-price DPIA service and we will provide an on-site assessment of the data protection risks associated with a new or existing single data processing operation within your organisation, and recommend on the appropriate controls to mitigate these risks.

Our on-site assessments are conducted by a GDPR consultant and you will receive your report within ten working days of the data-gathering phase of the DPIA.

EU GDPR Documentation Toolkit

The accountability principle under the GDPR means that organisations must not only comply with the GDPR but also be able to demonstrate compliance.

IT Governance's market-leading EU GDPR Documentation Toolkit provides you with a complete set of documentation templates that are easy to use, customisable and ensure GDPR compliance, including a DPIA template and tool.

Speak to an expert

If you need guidance or advice on conducting a DPIA, or would like to learn more about how our services can help you fulfil your DPIA requirements, please get in touch with our team of GDPR experts.