Data Protection Impact Assessment
(GDPR Compliant)
Summary
This Data Protection Impact Assessment (DPIA) template is also known as a privacy impact assessment (PIA). It provides a structured framework for you to identify and assess the risks to data protection, security, or privacy of a specific project, e.g., to introduce a new HR system. It follows a DPIA process set out in ICO guidance, with nine key stages. This template contains practical guidance, drafting notes, and optional clauses. A data protection impact assessment (DPIA) does what the name suggests—it's a way of assessing the data protection impact of a particular project or process on any affected individuals. You do not need to worry at length about the scale of a DPIA. A well-implemented DPIA process can sit alongside a project of any size. The ICO guidance on DPIAs can be found in two locations: Guide to the GDPR, Accountability and Governance, Data Protection Impact Assessments and Data Protection Impact Assessments (DPIAs). See Information Commissioner's Office: Data Protection Impact Assessments (DPIAs). Are DPIAs Mandatory? A DPIA is compulsory in the case of: • Systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (including profiling) on which decisions are based that produce legal effects concerning a data subject or similarly significantly affect a data subject • Processing on a large scale of special category personal data or data relating to criminal convictions and offences • Systematic monitoring of a publicly accessible area on a large scale See Article 35 of Regulation (EU) 2016/679, GDPR. Where none of these apply, the GDPR requires a DPIA where the processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. See EDPB Guidelines on Data Protection Impact Assessment (DPIA), Part III B. The European Data Protection Board (EDPB) guidelines, set out nine criteria which may act as indicators of when processing is likely to result in a high risk to the rights and freedoms of individuals. The ICO is required by Article 35(4) to publish a list of the kind of processing operations that are likely to be high-risk and require a DPIA. The ICO has produced a list of ten types of processing that automatically require a DPIA. These are reflected in the screening questions at section . Some of the operations in the ICO's list require a DPIA automatically, and some only when they occur in combination with one of the other items, or any of the criteria in the EDPB Guidelines. Where relevant, this is reflected in the individual questions in section . See ICO: Guide to the GDPR, DPIAs At What Stage of a Project Should You Conduct a DPIA? Generally, ICO guidance anticipates that DPIAs will be conducted at the start of a project. This is consistent with the GDPR, which requires that the DPIA is carried out before the processing starts. Although DPIAs will work best on a new project, they can also be useful when you are planning changes to an existing system or to review an existing system, so long as there is a realistic opportunity to change the existing system. See Article 35 of Regulation (EU) 2016/679, GDPR. Who Should Conduct the DPIA? Under the GDPR regimes, the DPO (if you have one) is not required to conduct the DPIA but the organisation is required to seek the DPO's advice when carrying out the DPIA. If you do have a DPO, they will be well placed to conduct the DPIA. If not, a project, risk or other manager should at least be able to start the DPIA process, even if they do not have specialist data protection knowledge. Ultimately, an effective DPIA will include involvement from various people in the business and you should consider assembling a team of people depending on the nature of the project (e.g., your IT manager, risk partner, Head of HR, compliance officer, DPO, etc.). See Article 35 of Regulation (EU) 2016/679, GDPR. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.