• Data impact protection assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • Organisations should do a DPIA for processing that is likely to result in a high risk to individuals.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • A DPIA must:
  • • describe the nature, scope, context and purposes of the processing
  • • assess necessity, proportionality and compliance measures
  • • identify and assess risks to individuals; and
  • • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts.
  • Reasons for undertaking a DPIA include:
  • • If you’re using new technologies
  • • If you’re tracking people’s location or behaviour
  • • If you’re processing children’s data
  • • If you’re systematically monitoring a publicly accessible place on a large scale
  • • If the data you’re processing could result in physical harm to the data subjects if it is leaked
  • • If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
  • If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects.