• 2 min read

Data protection - When does my organisation need to do a data protection impact assessment (DPIA)?

Cybersecurity and privacy concepts to protect data. Lock icon and internet network security technology. Businessman protecting personal data on smartphone, virtual screen interfaces. cyber security.

The process of producing a DPIA is generally a long and complex one so thankfully the UK General Data Protection Regulation (UK GDPR) only requires one when an organisation is carrying out processing that “is likely to result in a high risk to the rights and freedoms of natural persons”. The Information Commissioner’s Office (ICO) has published a list of processing operations that need a DPIA. However, we should add that the ICO’s good practice guidance is to use them more widely, particularly for major personal data processing initiatives. The ICO has produced a “DPIA screening” checklist (which you can access here: Data protection impact assessments | ICO) which organisations can use to understand when a DPIA is required.

Effectively a DPIA is a risk assessment. The purpose of completing a DPIA is for an organisation to consider the processing it is planning to carry out (note that it should be done before the processing commences not after!), what the risks are and how those risks can and will be reduced by the organisation in order to protect data subjects. An organisation could, for example, reduce risks by providing appropriate training to staff who will be involved with the processing and could require personal data to be pseudonymised (see our article which explains what this means here) whenever it needs to be transferred. If, having carefully explored how risks can be reduced, high risks remain, then the processing should not go ahead.

A DPIA should: 

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

It is also worth noting that a DPIA isn’t a static document and should be reviewed by the organisation periodically and updated where required (for example when the nature of the processing or the personal data being processed changes). 

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away