How to Carry out a Data Protection Impact Assessment

How To Write a CCTV Policy

What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a mandatory requirement under the UK GDPR for certain types of data processing and activities. Article 35 states that a DPIA must be carried out where the type of processing is likely to result in a high risk to the rights and freedoms of individuals. This requirement is especially important where new technologies are used. For any type of data, the nature, scope, context and purposes of the processing must be considered.

The purpose of the assessment is to assess the risk posed to individuals from processing their personal data. the DPIA is carried out prior to the processing taking place, therefore allowing action to be taken to reduce the risks where possible. A DPIA should consider both the likelihood and severity of any impact on individuals.

When Must a DPIA Be Carried Out?

How to carry out a data protection impact assessmentSome organisations carry out a data protection impact assessment prior to the processing of any high risk or sensitive personal data. Such an assessment can be useful for building confidence in those whose personal data you are processing.

However, the UK GDPR specifies several activities in Article 35(3) and Recitals 84, 89-96 where it is a mandatory requirement for a DPIA to be carried out. Such senarios and activities are: –

  • Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person(s)
  • Processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
  • Systematic monitoring of a publicly accessible area on a large scale.
  • Where a processing operation is likely to result in a high risk to the rights and freedoms of an individual.
  • Those activities or processing operations  involving the use of new technologies.
  • New processing activities not previously used.
  • Processing considerable amounts of personal data at regional, national or supranational level, which could affect many data subjects.
  • Activities making it difficult for the data subject(s) to exercise their rights.

What Should the DPIA Assess?

Word data written inside a magnifying glassIndividuals have an expectation that the privacy of their information will be upheld whilst their data is being processed by any organisation. There are some types of personal data and processing activities that are considered high risk by their content or nature.

In such cases, a data protection impact assessment can be used to assess and measure the risks posed prior to undertaking the processing.

The ICO note that a DPIA must:-

  • Describe the nature, scope, context and purposes of the processing.
  • Assess necessity, proportionality and compliance measures.
  • Identify and assess risks to individuals.
  • Identify any additional measures to mitigate those risks.

Aim of a Data Protection Impact Assessment

The aim of a DPIA is to assess the risks of processing personal data and implement actions to reduce those risks. The overall purpose is to protect the personal information of individuals’ and safeguard their data. DPIA’s are an effective and sometimes mandatory tool to assist Data Protection Officers in identifying the risks associated with data processing. It enables a proactive approach to assessing, managing and monitoring processing risks.

Processing Operations Requiring a DPIA

The ICO have published a list of the processing operations that the Commissioner requires an organisation to complete a DPIA for. The operations on this list have been deemed as ‘likely to result in high risk’.

The examples included in the list are non-exhaustive. This means that you should still ascertain if the type of data and processing requires a DPIA. On the right are a handful of the operations that appear on the ICO list.

  • Artificial intelligence
  • Smart technologies
  • Credit checks
  • Mortgage applications
  • Insurance applications
  • Data processed by Smart Meters
  • Medical research
  • Tracking an individuals’ geolocation or behaviour
  • Facial recognition systems
  • Pre-check processes related to contracts 

DPIA Stages

Data Protection Impact Assessment Template

  • Word & Excel Formats
  • Comply with GDPR Article 35
  • Evidence DPIA Compliance
  • Fully Customisable
  • Instant Download After Payment
DPIA Template

Know Your Compliance Limited have been providing regulatory compliance policies and procedures for over 10 years. With nearly 9000 organisations using our professional templates, you can save time and money and focus on what your business does best! Our market leading Data Protection Impact Assessment (DPIA) template aids compliance with the GDPR Article 35 requirements in a simple, easy to use format.

The DPIA templates come in both Excel and Word formats. Our DPIA tool is used by sectors such as the NHS, Government departments, major banks, universities and thousands of SME’s. The DPIA template can be used to assess all processing activities that are likely to result in a high risk to the rights and freedoms of natural persons.

View DPIA Template! View All GDPR Templates! Compare Toolkits!