A Data Protection Impact Assessment (DPIA) is the principal “data protection by design” tool in the UK GDPR. It is a structured way of working out, before processing begins, what could go wrong for individuals and how to reduce those risks to an acceptable level. A well-run DPIA both protects people and demonstrates the accountability principle in Article 5(2) of the UK GDPR.
When a DPIA is mandatory
Article 35 of the UK GDPR requires a DPIA whenever processing is likely to result in a high risk to the rights and freedoms of natural persons, especially where it involves new technologies. Article 35(3) lists trigger cases: systematic and extensive automated evaluation or profiling that produces legal or similarly significant effects; large-scale processing of special category or criminal-offence data; and large-scale systematic monitoring of publicly accessible areas. The Information Commissioner’s Office (ICO) supplements this with its own list of processing operations that always require a DPIA.
The DPIA process and ICO consultation
Article 35(7) sets out the minimum content: a systematic description of the processing and its purposes; an assessment of necessity and proportionality; an assessment of the risks to individuals; and the measures envisaged to address those risks, including safeguards and security. The Data Protection Officer’s advice must be sought where one is appointed. If, after mitigation, a high residual risk remains, Article 36 obliges the controller to consult the ICO before proceeding.
Who it applies to
Any controller carrying out high-risk processing, including financial firms deploying analytics, profiling, monitoring or large-scale handling of sensitive client data.