A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
After sign-off you should integrate the outcomes from your DPIA back into your project plan, and keep your DPIA under review. Throughout this process, you should consult individuals and other stakeholders as needed.
The DPIA process is designed to be flexible and scalable. You can design a process that fits with your existing approach to managing risks and projects, as long as it contains these key elements.
You can also scale the time and resources needed for a DPIA to fit the nature of the project. It does not need to be a time-consuming process in every case.
Further reading
WP29 produced guidelines on data protection impact assessments, which have been endorsed by the EDPB. Annex 2 sets out a checklist of criteria for an acceptable DPIA.
You can use or adapt our sample DPIA template if you wish.
You don’t have to use this template. You can make your own to suit your needs, or use an existing project-management method, as long as it covers all the key elements of the process. If you are making your own template, you may find it helpful to refer to the Criteria for an acceptable DPIA in Annex 2 of the Article 29 working party guidelines.
You can decide who has responsibility for carrying out DPIAs in your organisation, and who signs them off. You can outsource your DPIA, but you remain responsible for it. If you have a Data Protection Officer (DPO), you must ask for their advice on your DPIA, and document it as part of the process.
You may want to ask a processor to carry out a DPIA on your behalf if they do the relevant processing operation, but again you remain responsible for it.
As well as the business area or individual who is leading on the project or process requiring the DPIA, you should also involve:
Further reading
WP29 produced guidelines on data protection impact assessments, which have been endorsed by the EDPB.
If you have a DPO, you must seek their advice. The DPO should provide advice on:
You should record your DPO’s advice on the DPIA. If you don’t follow their advice, you should record your reasons and ensure you can justify your decision.
DPOs must also monitor the DPIA’s ongoing performance, including how well you have implemented your planned actions to address the risks.
Under Article 39 of UK GDPR, DPOs have specific tasks regarding DPIAs. This is why you must ensure that any responsibilities you give a DPO for your DPIA do not conflict with their ability to complete these tasks in an independent manner, as required by Recital 97.
In more detail – ICO guidance
Read our guidance on data protection officers for more detail on the tasks for DPOs regarding DPIAs.
Further reading – European Data Protection Board
Ask your DPO for advice. If you have any major project that involves the use of personal data, it is good practice to do a DPIA. If you already intend to do a DPIA, go straight to step 2.
Otherwise, you need to check whether your processing is on the list of types of processing that automatically require a DPIA. If not, you need to screen for other factors that may indicate it is a type of processing that is likely to result in high risk, such as processing the data of vulnerable individuals.
You can use or adapt the checklists at the end of this guidance to help you do this screening. You can also read ‘When do we need to do a DPIA?’ for more guidance.
If you do this screening and decide a DPIA is not needed, you should document your decision and the reasons for it, including your DPO’s advice. This does not have to be a burdensome paperwork exercise. It just needs to help you demonstrate you have properly considered and complied with your DPIA obligations. For example, you could simply keep an annotated copy of the checklist.
If you are in any doubt, we strongly recommend you do a DPIA.
Describe how and why you plan to use the personal data. Your description must include “the nature, scope, context and purposes of the processing”.
The nature of the processing is what you plan to do with the personal data. This should include, for example:
The scope of the processing is what the processing covers. This should include, for example:
The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include, for example:
The purpose of the processing is the reason why you want to process the personal data. This should include:
You should seek and document the views of individuals (or their representatives) unless there is a good reason not to.
In most cases it should be possible to consult individuals in some form. However, if you decide this is not appropriate, you should record this decision as part of your DPIA, with a clear explanation. For example, you may be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.
If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.
If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public- consultation process, or targeted research. This could take the form of market research with a certain demographic or contacting relevant campaign or consumer groups for their views.
If your DPIA decision differs from the views of individuals, you need to document your reasons for disregarding their views.
Further reading
WP29 produced guidelines on data protection impact assessments , which have been endorsed by the EDPB.
If you use a data processor, you may need to ask them for information and assistance. Your contracts with processors should require them to assist.
You should consult all relevant internal stakeholders, in particular anyone with responsibility for information security.
We also recommend you consider seeking legal advice or advice from other independent experts such as IT experts, sociologists or ethicists where appropriate. However, there are no specific requirements to do so.
Further reading
You should consider:
The Article 29 guidelines also say you should include how you ensure data protection compliance, which are a good measure of necessity and proportionality. In particular, you should include relevant details of:
Further reading
Consider the potential impact on individuals and any harm or damage your processing may cause – whether physical, emotional or material. In particular, look at whether the processing could contribute to:
You should include an assessment of the security risks, including sources of risk and the potential impact of each type of breach (including illegitimate access to, modification of or loss of personal data).
To assess whether the risk is a high risk, you need to consider both the likelihood and severity of the possible harm. Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more than remote, but any significant possibility of very serious harm may still be enough to qualify as a high risk. Equally, a high probability of widespread but more minor harm may still count as high risk.
You must make an objective assessment of the risks. It is helpful to use a structured matrix to think about likelihood and severity of risks:
The above matrix shows a structured way to assess risk. Your organisation may use a different method you can adapt for the same purpose.
You may also want to consider your own corporate risks, such as the impact of regulatory action, reputational damage or loss of public trust.
Against each risk identified, record its source. You should then consider options for reducing that risk. For example:
This is not an exhaustive list, and you may be able to devise other ways to help reduce or avoid the risks. You should ask your DPO for advice.
Record whether the measure would reduce or eliminate the risk. You can take into account the costs and benefits of each measure when deciding whether or not they are appropriate.
You should then record:
You do not always have to eliminate every risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. However, if there is still a high risk, you need to consult the ICO before you can go ahead with the processing.
As part of the sign-off process, you should seek and document DPO advice on whether the processing is compliant and can go ahead. If you decide not to follow their advice, you need to record your reasons.
You should also record any reasons for going against the views of individuals or other consultees.
You must integrate the outcomes of your DPIA into your project plans. You should identify any action points and who is responsible for implementing them. You can use the usual project-management process to ensure these are followed through.
You should monitor the ongoing performance of the DPIA. You may need to cycle through the process again before your plans are finalised.
If you have decided to accept a high risk, either because it is not possible to mitigate or because the costs of mitigation are too high, you must consult the ICO before you go ahead with the processing. See the next section for more information on this consultation process.
To aid transparency and accountability, it is good practice to publish your DPIA. This could help foster trust in your processing activities, and improve individuals’ ability to exercise their rights. If you are concerned that publication may reveal commercially sensitive information, undermine security or cause other risks, you should consider whether you can redact (black out) or remove sensitive details, or publish a summary.
When considering publishing DPIAs, public authorities should think about their wider transparency obligations, such as complying with the Freedom of Information Act. Before UK GDPR, many public authorities included privacy impact assessments in their definition documents for publication schemes.
You need to keep your DPIA under review. You may need to repeat it if there is a substantial change to the nature, scope, context or purposes of your processing.
Further reading