The DPIA or data protection impact assessment, is an important part of GDPR compliance. Under what circumstances do you need a DPIA, and how do you implement it?

What is a DPIA?

Also known as a privacy impact assessment, a DPIA is a tool which enables organisations to identify the most effective way of complying with data protection obligations and protect customers’ data - according to the ICO, the UK regulator. It is also defined as a privacy related assessment of how privacy can be affected by certain actions.

When is it required?

The ICO says that a DPIA is required under these circumstances:

  • when using new technologies
  • when the processing is likely to result in a high risk to the rights and freedoms of individuals
  • when might processing pose a high risk to the rights and freedoms of individuals?
The ICO then lists three details relating to these circumstances, namely when processing of data is:
  • systematic and extensive
  • large scale and related to criminal convictions or offences
  • and large scale systematic monitoring of public areas.
What should a DPIA include?
  • A description of data processing and an explanation of the purpose and the rationale behind this processing.
  • The DPIA should include an assessment of how necessary the data processing is and also whether the processing is proportionate to the purpose.
  • A risk consideration, detailing any risks to data subjects that the processing may entail.
  • And an outline of what measures are in place to reduce risk, this must include security procedures and technology used and show compliance with requirements under GDPR.
Finally, a DPIA can apply to multiple projects - meaning it may not be necessary to start a new DPIA for every project providing the specific data privacy related issues are covered in the existing DPIA.

A DPIA does not guarantee GDPR compliance in the areas described here, but it is an important tool in the compliance journey.

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at