*** Festive greetings to all our users, colleagues and partners! Check our revised opening times here *** 

Confused by DPIAs? You're not alone! Read on for some no-nonsense answers to common questions...

Thinking about running a project that involves collecting people's personal data?

If so, you’ll need to know about Data Protection Impact Assessments, or DPIAs. A DPIA is required by the Information Commissioner’s Office (ICO) for any project that involves the processing of personal data that carries potential risks to individuals. There can be serious penalties for not doing one, if your project requires it. But if you’re new to the world of DPIAs, they can be pretty mystifying. What exactly are they? Does your project actually need one? What should be in it – and what happens to it once it's complete? Read on for some straightforward answers to these questions and more.

Back to basics: what is a DPIA?

DPIA stands for data protection impact assessment. It's an assessment you carry out at the start of a project that helps you make sure you’re processing personal data safely, responsibly and legally. It prompts you to identify and minimise any data protection risks.

In what circumstances would I need to do a DPIA?

You must do a DPIA if your project includes processing personal data that’s likely to result in a high risk to individuals if that data was leaked.

It’s not just about how likely a data breach is, but also how severe the consequences of one might be for the people whose privacy has been compromised.

You also need to do a DPIA in some other cases – see the ICO website for a full list of these.

What if I don't do a DPIA?

For high-risk projects where a DPIA is legally required, not doing one can lead to prosecution, big fines – and potentially legal action too, if people’s data is compromised. So unless you're sure your project doesn't need one, check against the ICO's list and ask them if you're unsure.

How do I decide what's 'high risk'?

Consider two questions:

  • How likely is it that the data could fall into the wrong hands?
  • How severe would the consequences for people be, if it did? 

If you (and your data protection officer, if you have one) decide your project isn’t high risk, it might still be good practice to do a DPIA if you will be processing people's personal data. 

At what point should I do the DPIA?

You should complete the DPIA (and submit it, if necessary - see below) before you start processing personal data.

How do I fill in a DPIA?

You can download a sample DPIA template from the ICO website.  You'll find advice in each section of the form.

Essentially, your DPIA should include the following:

  • Your project’s goals
  • The type of data you’ll be capturing, how it will be collected, stored and deleted, why collecting the data is necessary, and what it will be used for.
  • How personal data will flow between people, systems and organisations - explaining everyone’s roles (a diagram is helpful)
  • How you’ll keep this data secure (and ensure all staff comply with this). This should include explaining:
    - how you'll comply with the GDPR data protection principles, and
    - the lawful basis for processing the information you’ll be collecting.
  • What sort of risks this processing poses to people’s rights and freedoms, how likely and how severe these risks are, and how you will mitigate them.
  • How you consulted with the people whose data is being processed – or when and how you plan to do this (or say why you don’t think this is required).
  • The outcomes of your DPIA and a schedule for reviewing it.

There’s a checklist on the ICO website to help you decide if you have written a good DPIA. Contact the ICO if you’re unsure about a section, or want to check something.

What happens when I've finished the DPIA?

Keep the DPIA on file and review it regularly – this protects both your organisation and the people whose data you’re processing. See also Managers' responsibilities, below.

If your DPIA identifies a high risk and you can’t take measures to reduce it, you must contact the ICO to let them know and send them a copy of the DPIA. 

Wait for their response before you start processing anyone’s personal data. This can take a few weeks.

Managers' responsibilities with regard to DPIAs

As a manager, you should provide training for relevant staff on how to carry out a DPIA.

Create a DPIA process, or guide, and make sure staff know where to find it. Build references to DPIA requirements into your organisational policies and procedures.

Make sure you and your staff understand:

  • that they need to consider a DPIA at the early stages of any project involving personal data
  • which types of data processing legally require a DPIA (see the ICO screening checklist)
  • how to document reasons, if they decide a DPIA isn’t needed.

Where can I get help with my DPIA?

Maybe it goes without saying - but always speak to your data protection officer, if you have one.

If you're unsure about something in the DPIA or how to answer it, get in touch with the ICO. There's a wealth of advice on their website too, including DPIA checklists you can use or adpt.

Home visit

Get more time to do the important things

Get in touch

Latest blog posts

Happy laptop users

Pricing models

It's brilliant, it's radical, it saves money: the benefits of income-based pricing

Charity worker writing bid

Funding bids

Preparing a successful funding bid - top 10 tips

Hand holding spanner

Best practice CRMs

Has a tech-savvy friend offered to build you a CRM on the cheap? Just say no.

Back to all blog posts