Data Protection Impact Assessments and the GDPR

What is a DPIA (data protection impact assessment)?

A DPIA is a type of risk assessment. It helps you identify and minimise risks relating to personal data processing activities. DPIAs are also sometimes known as PIAs (privacy impact assessments).

The GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing. This ensures that you can mitigate data protection risks.

For instance, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.

You should also conduct one when introducing new data processing processes, systems or technologies.

Looking for comprehensive guidance and practical advice on complying with the GDPR? Read our bestselling Implementation and Compliance Guide.

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.

Free PDF: Implementing an ISMS - The nine-step approach

Free paper: A Concise Guide to Data Protection Impact Assessments (DPIAs)

This paper explains exactly what DPIAs are, why and when you need to conduct them, and offers a straightforward approach that you can tailor to your needs to conduct your assessments efficiently, effectively and in line with the law.

Download now

Why are DPIAs important?

DPIAs are a useful way of ensuring the efficiency – and cost-effectiveness – of the security measures you implement.

A risk-based approach ensures you do not waste resources attempting to mitigate threats that are unlikely to occur or will have little effect.

When required, not carrying out a DPIA could leave you open to enforcement action from the ICO (Information Commissioner’s Office) – the UK’s data protection authority. This could include a fine of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Regular data privacy impact assessments also support the GDPR’s accountability principle. This helps your organisation prove its compliance with the Regulation – both to the supervisory authority and other stakeholders.

DPIA solutions

DPIA assessment tool

DPIA Training Workshop

This one-day workshop teaches attendees to perform a DPIA in line with the GDPR and DPA 2018.

   Book now

DPIA consultancy service


Get an on-site, expert assessment of the risks associated with your data processing activities with our fixed-price DPIA consultancy service. 

Find out more



Quickly determine whether a DPIA is required and simplify the entire DPIA process with this tool.

Aligned with the GDPR, you can easily review, update and maintain your DPIA whenever needed.

Buy now

GDPR toolkit

GDPR Toolkit

Ensure your GDPR compliance with IT Governance’s market-leading GDPR documentation toolkit. It contains a complete set of easy-to-use documentation templates, including a DPIA template and DPIA tool.

Buy now

When must you conduct a DPIA?

Article 35 of the GDPR requires organisations to carry out a DPIA when data processing is likely to result in a high risk to data subjects. This especially applies if you plan to:

  • Use systematic and extensive profiling with significant effects.
  • Process special category or criminal offence data on a large scale.
  • Systematically monitor publicly accessible places on a large scale.

The ICO's screening checklist will help you decide whether to carry out a DPIA.

European data protection impact assessment guidelines

The WP29's (Article 29 Working Party)’s guidelines on DPIAs have been adopted by its replacement, the EDPB (European Data Protection Board).

The more criteria are met, the more likely a DPIA will be required.

Read the WP29 guidelines on DPIAs

DPIAs and privacy by design

You should conduct a DPIA as early as possible in a project’s lifecycle. That way, its findings and recommendations can be incorporated into the processing operation's design rather than added on afterwards.

This privacy-by-design approach can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing issues early will often be easier and cheaper.
  • Awareness of privacy and data protection will be increased across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to have a negative impact on individuals.

How to conduct a DPIA

The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.

The ICO provides the following guidance on the DPIA process:

1. Identify the need for a DPIA

2. Describe the data processing

3. Consultation

4. Assess necessity and proportionality

5. Identify and assess risks

6. Identify measures to mitigate the risks

7. Sign off and record outcomes

Who should conduct a DPIA?

Data controllers are responsible for ensuring DPIAs are carried out.

The DPIA should be conducted by those with appropriate expertise and knowledge of the project, usually the project team.

Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Find out more about outsourcing when conducting a DPIA.

This website uses cookies. View our cookie policy
SAVE 10%