Data Protection Impact Assessments

Data protection impact assessments (DPIAs) are required where organisations are carrying out data processing activities which are likely to result in a “high risk” to the rights and freedoms of data subjects. The text of the GDPR itself does not provide much guidance as to what would be considered a “high risk” but the ICO has given the following examples:

  • where there are systematic and extensive processing activities, including profiling and where decisions that have legal effects (or similarly significant effects) on the data subjects
  • where there is large scale processing of special categories of data or personal data relating to criminal convictions or offences
  • where the processing activities affect a large number of individuals, such as large scale, systematic monitoring of public areas (including CCTV)


DPIAs can be put in place to cover specific projects or to cover the processing activities carried out by an organisation or a department within an organisation. The DPIA must be put in place before starting the relevant processing.


The GDPR does not set out the process for undertaking DPIAs but guidance issued by the ICO states that a DPIA should contain:

  • a description of the processing operations
  • details of the purposes for which the processing is carried out
  • an assessment of the necessity and proportionality of the processing in relation to the purpose
  • an assessment of the risks to the rights and freedoms of the data subjects
  • the technical and organisational measures in place to address those risks


If a DPIA carried out by a data controller indicates that the envisaged processing would result in a “high risk”, the data controller is required to consult with its local supervising authority (in the UK this would be the ICO) prior to commencement of the processing. However, consultation may not be required if the data controller is of the opinion that reasonable steps can be taken to mitigate the risk. While the obligations to carry out DPIAs and to consult with the ICO in relation to “high risk” processing only apply to data controllers, data processors are required to assist data controllers in complying with these obligations.