Skip to content
CityLearning
Data & operational

DPIA (Data Protection Impact Assessment)

A Data Protection Impact Assessment (DPIA) is a documented process for identifying and minimising the data protection risks of a project. Under Article 35 of the UK GDPR, a DPIA is mandatory where processing is likely to result in a high risk to the rights and freedoms of individuals.

A Data Protection Impact Assessment (DPIA) is the principal “data protection by design” tool in the UK GDPR. It is a structured way of working out, before processing begins, what could go wrong for individuals and how to reduce those risks to an acceptable level. A well-run DPIA both protects people and demonstrates the accountability principle in Article 5(2) of the UK GDPR.

When a DPIA is mandatory

Article 35 of the UK GDPR requires a DPIA whenever processing is likely to result in a high risk to the rights and freedoms of natural persons, especially where it involves new technologies. Article 35(3) lists trigger cases: systematic and extensive automated evaluation or profiling that produces legal or similarly significant effects; large-scale processing of special category or criminal-offence data; and large-scale systematic monitoring of publicly accessible areas. The Information Commissioner’s Office (ICO) supplements this with its own list of processing operations that always require a DPIA.

The DPIA process and ICO consultation

Article 35(7) sets out the minimum content: a systematic description of the processing and its purposes; an assessment of necessity and proportionality; an assessment of the risks to individuals; and the measures envisaged to address those risks, including safeguards and security. The Data Protection Officer’s advice must be sought where one is appointed. If, after mitigation, a high residual risk remains, Article 36 obliges the controller to consult the ICO before proceeding.

Who it applies to

Any controller carrying out high-risk processing, including financial firms deploying analytics, profiling, monitoring or large-scale handling of sensitive client data.

UK GDPR, operational resilience and financial crime.

Frequently asked questions

When is a DPIA required under the UK GDPR?
Article 35 of the UK GDPR makes a Data Protection Impact Assessment mandatory where a type of processing is likely to result in a high risk to individuals' rights and freedoms, in particular systematic and extensive profiling with significant effects, large-scale processing of special category data, or large-scale systematic monitoring of a public area. The ICO also publishes a list of operations that always require a DPIA.
What must a DPIA contain and when must the ICO be consulted?
Article 35(7) of the UK GDPR requires a DPIA to describe the processing and its purposes, assess its necessity and proportionality, evaluate the risks to individuals, and set out the measures to address those risks. Under Article 36, if a DPIA shows a high residual risk that cannot be mitigated, the controller must consult the ICO before starting the processing.

Reviewed by Margaret Hassett

← Back to the compliance glossary

Turn definitions into training

See how CityLearning's UK compliance courses help your team understand terms like this in practice.