Blog
If so, you’ll need to know about Data Protection Impact Assessments, or DPIAs. A DPIA is required by the Information Commissioner’s Office (ICO) for any project that involves the processing of personal data that carries potential risks to individuals. There can be serious penalties for not doing one, if your project requires it. But if you’re new to the world of DPIAs, they can be pretty mystifying. What exactly are they? Does your project actually need one? What should be in it – and what happens to it once it's complete? Read on for some straightforward answers to these questions and more.
DPIA stands for data protection impact assessment. It's an assessment you carry out at the start of a project that helps you make sure you’re processing personal data safely, responsibly and legally. It prompts you to identify and minimise any data protection risks.
You must do a DPIA if your project includes processing personal data that’s likely to result in a high risk to individuals if that data was leaked.
It’s not just about how likely a data breach is, but also how severe the consequences of one might be for the people whose privacy has been compromised.
You also need to do a DPIA in some other cases – see the ICO website for a full list of these.
For high-risk projects where a DPIA is legally required, not doing one can lead to prosecution, big fines – and potentially legal action too, if people’s data is compromised. So unless you're sure your project doesn't need one, check against the ICO's list and ask them if you're unsure.
Consider two questions:
If you (and your data protection officer, if you have one) decide your project isn’t high risk, it might still be good practice to do a DPIA if you will be processing people's personal data.
You should complete the DPIA (and submit it, if necessary - see below) before you start processing personal data.
You can download a sample DPIA template from the ICO website. You'll find advice in each section of the form.
Essentially, your DPIA should include the following:
There’s a checklist on the ICO website to help you decide if you have written a good DPIA. Contact the ICO if you’re unsure about a section, or want to check something.
Keep the DPIA on file and review it regularly – this protects both your organisation and the people whose data you’re processing. See also Managers' responsibilities, below.
If your DPIA identifies a high risk and you can’t take measures to reduce it, you must contact the ICO to let them know and send them a copy of the DPIA.
Wait for their response before you start processing anyone’s personal data. This can take a few weeks.
As a manager, you should provide training for relevant staff on how to carry out a DPIA.
Create a DPIA process, or guide, and make sure staff know where to find it. Build references to DPIA requirements into your organisational policies and procedures.
Make sure you and your staff understand:
DPIAs vary across different projects and organisations, so no two DPIAs will be the same. But here are a couple of publicly available examples to give you an idea of what a completed one might look like:
DPIA – Youth Endowment Fund (PDF)
DPIA – NHS Tayside Charitable Foundation (PDF)
Maybe it goes without saying - but always speak to your data protection officer, if you have one.
If you're unsure about something in the DPIA or how to answer it, get in touch with the ICO. There's a wealth of advice on their website too, including DPIA checklists you can use or adpt.
Get more time to do the important things
Get in touch
