Data protection impact assessment (DPIA)

A DPIA is a risk assessment tool used to minimise risks to persons and their personal information when it's collected and processed. An effective DPIA can help organisations fully evaluate processing activities and identify where and how to meet their data protection obligations.

A DPIA must be carried out when the data collection and processing is likely to result in a high risk to the rights and freedoms of the individual (this usually refers to financial, reputational or emotional damages and possible physical risks) and when organisations plan to carry out:

  • Systemic profiling
  • Large scale processing of sensitive data, such as health data
  • Use of new technologies
  • Public monitoring

Organisations shouldn't just do a DPIA and forget about it. It must be updated as the process develops, particularly as any issues are identified. Data Protection Officers or Information Governance Teams can advise practitioners on local arrangements for completing a DPIA or you can use the Information Commissioner's Office (ICO) screening checklists.