MAKE YOUR FREE Data Protection Impact Assessment (DPIA)
What we'll cover
What is a DPIA?
When should I use a DPIA?
- if are undertaking a project that involves the processing of personal data
- if the processing is likely to result in a high risk to the rights and freedoms of individuals
- where personal data is not being transferred outside of England, Wales and Scotland
Sample Data Protection Impact Assessment (DPIA)
The terms in your document will update based on the information you provide
DATA PROTECTION IMPACT ASSESSMENT
PART 1
Date of the assessment | |
Who is carrying out the assessment? | |
Controller organisation | |
Assessment to be kept under review by | |
Project | |
What does the project aim to achieve? | |
What types of data processing are involved? |
|
Processing | |
Nature of the personal data | |
Benefits of the processing | |
How much personal data will you be collecting and using? How often? | will be collected |
How long will you keep the personal data for? | . |
Individuals affected by the processing |
|
Geographical areas covered | |
How will data processing be carried out? | Collection of personal data
Use of personal data
Storage of personal data
Deletion of personal data |
Source of the personal data | |
Will you be sharing the personal data with anybody? | |
High-risk processing identified | |
Wider processing context | Are there any prior security flaws or concerns over this type of processing?
Is any new technology being used or is any existing technology being used in a new way?
What is the current state of technology in this area?
Are there any current issues of public concern that should be addressed? |
Stakeholders | |
Compliance | |
Lawful basis for processing | |
Processor compliance | |
Proportionality |
|
PART 2 - RISK ASSESSMENT
Source of risk | Potential impact on individuals | Likelihood of harm | Severity of harm | Overall risk |
|
|
|
|
|
About Data Protection Impact Assessments (DPIAs)
Learn more about making your Data Protection Impact Assessment (DPIA)
-
How to make a Data Protection Impact Assessment (DPIA)
Making a DPIA online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your DPIA you will need the following information:
Organisation details
-
What is the name of the organisation controlling how the data is processed?
-
Who is carrying out this DPIA?
-
On what date is this DPIA being carried out?
-
Who will keep the DPIA under review?
Project
-
What is the aim of your project?
-
Is there a link to a proposal explaining the project? If so, what is the URL?
Processing
-
What types of personal data are being processed?
-
What are the benefits of processing the data?
-
How much data will be collected?
-
How often will this data be collected?
-
Will the data be stored:
-
For a set period of time? If so, how long will it be stored for?
-
According to your data retention policy? If so, what is the policy’s URL?
-
-
Does the project involve processing personal data about children or vulnerable groups?
-
How many people's personal data will be processed?
-
Whose data will be processed?
-
How can individuals control whether or not their data is processed?
-
How might individuals be affected by the processing of their data?
-
How will the organisation inform individuals that their data is being processed?
-
How will the organisation support individuals' rights to protect their data?
-
What geographical area is covered by the processing?
-
How will the data be collected?
-
How will the data be used?
-
How will the data be stored?
-
How will the data be deleted?
-
Will data be processed in any other ways? If so, how?
-
Where will the data be obtained from?
-
Will the data be shared with anyone? If so, with whom will it be shared?
-
Does the project involve any higher-risk processing activities?
-
How might external factors influence the processing?
Codes of conduct and certification schemes
-
Has the organisation signed up to an approved code of conduct? If so, provide details.
-
Has the organisation signed up to a certification scheme? If so, provide details.
Compliance
-
Which lawful basis for processing lets you process the data?
-
If you are processing sensitive personal data:
-
Which condition for processing allows the organisation to process the sensitive personal data?
-
If relevant, why is the processing necessary for reasons of substantial public interest?
-
If relevant, why does the organisation not have to obtain consent to process the sensitive personal data?
-
-
If you are processing criminal offence data:
-
Is the criminal offence data processed by a public or private body with official authority, or with authorisation of UK law?
-
If relevant, which condition for processing allows the organisation to process the criminal offence data?
-
If relevant, why does the organisation not have to obtain consent to process the criminal offence data?
-
-
How do the organisation's data processors comply with data protection laws?
-
How will the organisation prevent the data from being used for projects other than the project specified in the DPIA?
-
How will the organisation ensure data quality and accuracy?
-
How will the organisation ensure data minimisation?
-
Is there another way to achieve the organisation's objective? If so, what is it?
Consultation
-
Will internal stakeholders be consulted?
-
If so, what are their details, when will they be consulted, and how will they be consulted?
-
If not, why won’t they be consulted?
-
-
Will experts be consulted?
-
If so, what are their details, when will they be consulted, and how will they be consulted?
-
If not, why won’t they be consulted?
-
Risks of data processing
-
What are the details of any potential risks?
-
Do any potential risks have an overall risk level of 'medium' or 'high'? If so, provide details of any reduction/elimination of the medium and high risks.
Review
-
What is the reviewer’s advice?
-
Has the reviewer's advice been accepted or overruled?
-
If relevant, why has the advice been overruled?
-
-
What are the reviewer's comments on internal stakeholder and/or expert consultations?
-
-
Common terms in a Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is used to identify and minimise the data protection risks of a project that an organisation is undertaking. To do this, DPIAs usually cover:
Background
The first part of the DPIA provides the basic details of the assessment (eg its date and by whom it was carried out) and the controller organisation (eg the organisation’s name).
Project
This section outlines the specifics of the project for which the DPIA is being carried out.
Processing
This is the most detailed section of the Data Protection Impact Assessment, which sets out how the personal data is being processed for the project. This includes things like:
-
the nature of the personal data
-
the benefits of the processing
-
how much personal data will be collected and used and how often
-
the geographical areas covered
-
the source of the personal data
-
any high-risk processing identified
-
the wider context of the processing
Stakeholders
This section details whether any internal and/or external stakeholders will be consulted in relation to the DPIA. Where stakeholders will be consulted, details of the consultation will be included here. If stakeholders will not be consulted, this section will set out why.
Compliance
This section covers the organisation’s compliance with data protection requirements. Specifically, it covers:
-
the lawful basis for the data processing
-
if relevant, the conditions for the processing of any special category data
-
if relevant, the associated conditions for the processing of special category data
-
if relevant, the conditions for the processing of any criminal offence data
-
if relevant, the associated conditions for the processing criminal offence data
It also details the proportionality of the processing and sets out how, in its processing, the organisation will take steps to:
-
prevent function creep (ie the use of personal data for a purpose other than the purpose that was originally specified)
-
ensure the quality and accuracy of the personal data
-
ensure data minimisation
Risk assessment
This section details any specific risks identified by the DPIA and their potential effects on any individuals. It also assigns a likelihood of harm, a severity of harm and an overall risk level to each risk identified.
Measures to reduce risk
This section details any specific risks identified with an overall risk level of medium or high. It then sets out potential measures that can be implemented to reduce or eliminate the risk in question. It also sets out the effect of the measures on the risk, the risk level after the implementation of the measures to reduce/eliminate the risk and whether the measures have been approved.
This section will only appear if the risk assessment section identifies risks that have an overall medium or high risk level.
Sign off
This section provides details of the approvals for any risks with an overall risk level of medium or high. This includes setting out the date of approval, the details of the person who approved the measures and their advice on the situation.
This section will only appear if the risk assessment section identifies risks which have an overall medium or high risk level.
If you want your Data Protection Impact Assessment (DPIA) to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Data Protection Impact Assessment (DPIA) for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
-
Legal tips for making a Data Protection Impact Assessment (DPIA)
Understand how best to use this DPIA
A DPIA is a comprehensive document. Completing it requires you to provide a significant amount of information about the project your organisation is planning and the data processing involved.
Therefore, we recommend that you create and log into a Rocket Lawyer account before starting to make your DPIA. This ensures that, so long as you have an adequate internet connection, your progress will be saved if you’re interrupted whilst answering the interview questions.
Consider whether you need further assistance
DPIAs form an important part of an organisation’s data protection practices and are an important GDPR compliance tool. However, because of their role in identifying and minimising the data protection risks of a given project, they are very detailed and complex and can be arduous to complete. Consider using our GDPR Compliance Advice Service to help you make your DPIA.
Consider what other data protection documents you may need
A DPIA is only one of the many different documents designed to help organisations comply with their data protection obligations. Depending on what it is you are trying to achieve, you may consider creating a variety of other documents, such as:
-
Appropriate policy documents, if you process certain types of sensitive personal data or criminal offence data under a DPIA
-
Legitimate interest assessments, if you want to process personal data in reliance on the legitimate interest ground
-
Data processing agreements, if you outsource the processing of personal data to a data processor
You can make your GDPR documents with Rocket Lawyer.
Understand when to seek advice from a lawyer
Ask a lawyer for advice if:
-
you have any questions about DPIAs
-
this document doesn’t meet your specific needs
-
you are transferring data outside England, Wales and Scotland
-
Data Protection Impact Assessment (DPIA) FAQs
-
What should a DPIA include?
This DPIA covers:
-
project details
-
who the data subjects (ie the individuals the data relates to) are
-
the nature, scope, context and purposes of the processing
-
details of any internal stakeholder and/or external expert consultations
-
the necessity, proportionality and compliance measures of the processing
-
the identification and assessment of any risks to individuals
-
the identification of any additional measures to reduce or eliminate any risks
-
-
Do I need a DPIA?
DPIAs need to be completed where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is a ‘high risk’, the likelihood and the severity of any potential harm to individuals need to be considered.
For more information on when processing is likely to result in a high risk to the rights and freedoms of individuals, read Data protection impact assessments.
DPIAs are important GDPR compliance tools, but they can be complex. Our GDPR compliance advice service can help you make your DPIA.
-
How do I know if I need a DPIA?
Generally, a DPIA should be considered whenever you intend to undertake a project involving the use of personal data. A DPIA should also be considered when you plan to carry out any:
-
evaluation or scoring (eg a financial institution screening customers against a credit reference or an anti-money laundering database)
-
automated decision-making with significant effects (eg processing that may lead to the exclusion of or discrimination against individuals)
-
systematic monitoring (ie processing used to observe, monitor or control data subjects, including data collected through networks or the systematic monitoring of a publicly accessible area)
-
processing of sensitive personal data or data of a highly personal nature (eg hospitals keeping patients’ medical records or private investigators keeping offenders’ details)
-
processing on a large scale (large scale either due to the number of data subjects concerned, the volume of data, the duration/performance of the processing or the geographical extent of the processing activity)
-
processing of personal data concerning vulnerable data subjects (eg children, employees and vulnerable individuals requiring special protection)
-
innovative technological/organisational solutions (eg certain ‘Internet of Things’ applications, with an impact on individuals’ daily lives and privacy)
-
processing that involves preventing data subjects from exercising a right or using a service or contract (eg banks screening customers against a credit reference database when deciding whether to offer them a loan)
Under the GDPR, a DPIA should always be carried out when you plan to:
-
use systematic and extensive profiling or automated decision-making to make significant decisions about people (eg employers monitoring staff internet habits to ensure they aren’t using it for illicit purposes)
-
process special category or criminal offence data on a large scale
-
systematically monitor a publicly accessible place on a large scale (eg use of CCTV in public spaces)
-
involve the use of new technologies, or the novel application of existing technologies, for data processing (eg artificial intelligence, machine learning and deep learning)
-
use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit (eg credit card or mortgage checks)
-
carry out profiling on a large scale (eg data processed by smart meters)
-
process biometric data to uniquely identify an individual (eg facial recognition systems)
-
process genetic data, other than by an individual GP/healthcare professional in the course of providing healthcare to the data subject (eg DNA testing)
-
combine, compare or match data from multiple sources (eg direct marketing)
-
processes personal data involving tracking an individual’s geolocation or behaviour (eg web- and cross-device tracking)
-
process children’s/vulnerable individuals’ personal data for marketing, profiling for automated decision making or the offer of online services (eg toys connected to the internet)
-
process personal data that could result in a risk of physical harm in the event of a security breach
For more information, read Data protection impact assessments and the Information Commissioner’s Office’s (ICO’s) list of examples of data processing that will (likely) require a DPIA.
-
-
What do I need to consider before carrying out a DPIA?
Before you carry out your DPIA, you should consider:
-
what data is being processed and why (this is the aim of the project)
-
if the data processing is likely to result in a high risk to the data subjects
-
what the benefits of you processing the data are (ie consider the benefits for you and for society as a whole)
-
how you will ensure that individuals’ rights in relation to their data will be implemented and supported
-
any potential risks associated with your processing of the data, and how these could be reduced or eliminated
-
whether you can achieve the same result in any other way (especially if that way may be less intrusive)
Consider familiarising yourself with the DPIA process by reading the following:
-
Data protection impact assessments - providing an overview of what DPIAs cover and entail
-
Compliance for DPIAs - for guidance on the steps you need to take to process personal data in compliance with data protection laws
-
Substantial public interest for DPIAs - for information on the ‘substantial public interest’ condition under which special category sensitive data can be processed
-
Criminal offence data for DPIAs - for more information on when criminal offence data can be processed
-
-
What is personal data?
Personal data is information relating to individuals only, who can be personally identified from that data (on its own or with other data held). Personal data includes (but is not limited to) names, contact details and job titles.
There is a further 'special category' of 'sensitive personal data' which is awarded greater protection under the law and includes information about:
-
racial or ethnic origin
-
political opinions
-
religious or similar beliefs
-
trade union membership
-
physical or mental health conditions
-
sexual life
-
biometrics (eg fingerprint data/facial images) and genetics
While criminal offence data (ie personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls.
Due to the sensitive nature of special category personal data and criminal offence data, further conditions for processing need to be met and recorded in a DPIA. See Compliance for DPIAs for more information.
For more information on personal data, read Data protection.
-
-
What are the lawful grounds for processing?
You will only be able to process personal data if you have a lawful basis for doing so. DPIAs should set out which lawful ground(s) for processing you are relying on, including if the:
-
data subject has consented to the processing
-
processing is necessary for the performance of a contract
-
processing is necessary to comply with the law
-
processing is necessary to protect someone’s ‘vital interests’
-
processing is necessary for the performance of a task in the public interest or for the organisation’s official functions
-
processing is necessary for the organisation’s or a third party’s legitimate interests (a Legitimate interest assessment will need to be carried out)
For more information on the grounds for data processing, read Compliance for DPIAs.
-
-
When can I process sensitive personal data?
To process special category sensitive data, in addition to having a lawful basis for processing, further conditions for processing need to be met and recorded in your DPIA. These include if:
-
the data subject has explicitly consented to the processing
-
the processing is necessary for you to carry out your obligations and exercise specific rights in the field of employment and social security and social protection law
-
the processing is necessary to protect the vital interests of a data subject or another person and the data subject is incapable of giving consent
-
you are a not-for-profit body processing special category data as part of your legitimate activities
-
the processing relates to personal data that has been made public by the data subject
-
the processing is concerning legal claims or judicial acts
-
the processing is necessary for reasons of substantial public interest
-
the processing is necessary for health or social care purposes
-
the processing is necessary due to public interest in public health
-
the processing is necessary for statistical or archiving purposes or for scientific or historical research purposes, and is in the public interest
For more information on these further conditions for processing, read Compliance for DPIAs. Note that, if you wish to process special category sensitive data for reasons of substantial public interest, you will need to meet further ‘associated conditions’. For more information on this, read Substantial public interest for DPIAs.
-
-
When can I process criminal offence data?
To process criminal offence data, in addition to having a lawful basis for processing, you need to show that you are processing the data under the control of official authority or authorised to process the data under UK law.
Processing under the control of official authority means that you have the authority to process criminal offence data under the law, and you must be able to point to a specific law that provides you with such authority. Generally, public bodies (and private bodies given public sector tasks) may have such authority to process. For example, the courts have specific official authority to process criminal offence data.
If you are not processing under the control of official authority, you can only process criminal offence data if you are authorised to do so by UK law. This means that one of the 28 conditions set out in the Data Protection Act 2018 needs to be met. These 28 conditions include, but are not limited to, processing criminal offence data for reasons of fraud prevention, suspicion of terrorist financing or money laundering, and insurance.
For more information, read Compliance for DPIAs and Criminal offence data for DPIAs.
-
Do I need an appropriate policy document?
In certain situations, an Appropriate policy document (APD) will need to be in place before you process special category sensitive data or criminal offence data. An APD is a document outlining the organisation’s compliance measures and retention policies for these types of data.
For more information on when an APD is needed, read Appropriate policy documents.
-
Do I need to consult with the ICO?
If, while carrying out your DPIA, you identify any risks with a high overall (residual) risk level and you cannot mitigate these risks, you must consult with the ICO. You cannot proceed with your processing of the data until after you have done this. The ICO will generally give written advice within 8 weeks, but this timeframe may be extended. Read Data protection impact assessments for more information.
-
What is the project?
The project is the reason why you are processing the personal data. In your DPIA, you should provide detailed information on why you want to carry out the project and what types of data processing this involves. Where possible, you should link to any project plans that exist.
-
Do I need to review an existing DPIA?
Once completed, the ongoing performance of the DPIA should be kept under review and monitored as it may be necessary to carry out another assessment before the project plans are finalised. Bear in mind that it may be necessary to carry out a new DPIA if there is a substantial change to the nature, scope, context or purposes of the data processing. Read Data protection impact assessments for more information.
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.