At a glance
- A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
- You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. You can use our screening checklist to help you decide when to do a DPIA.
- It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
- Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- You should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. Processors may need to assist.
- If you identify a high risk and you cannot mitigate that risk, you must consult the ICO before starting the processing.
- The ICO will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases we may issue a formal warning not to process the data, or ban the processing altogether.
