Guide
Carry out a data protection impact assessment (DPIA)
How to carry out a data protection impact assessment under UK GDPR Article 35. Covers when a DPIA is legally required, the step-by-step process for completing one, what to do if you cannot mitigate high risks, and when to consult the ICO.
A data protection impact assessment (DPIA) is a process for systematically analysing how a proposed data processing activity could affect individuals' privacy. Under UK GDPR Article 35, you must carry out a DPIA before beginning any processing that is likely to result in a high risk to people's rights and freedoms.
DPIAs help you identify privacy risks early, build data protection into your processes from the start, and demonstrate to the ICO that you have considered the impact on individuals.
Who is responsible
As the data controller, you are responsible for carrying out the DPIA. This applies whether you process data yourself or use a data processor on your behalf. If you have a Data Protection Officer (DPO), you must seek their advice, but the final accountability sits with you. If you use joint controllers or processors, involve them in the assessment.
When a DPIA is required
UK GDPR Article 35 sets out specific circumstances where a DPIA is mandatory. You must also consider whether any processing you carry out meets the ICO's additional criteria for high-risk processing.
When a DPIA is not required
Not every data processing activity needs a DPIA. You are unlikely to need one for:
- Routine processing that is well-established and low risk (for example, standard payroll processing for a small team)
- Processing that is very similar to something already assessed in a previous DPIA, provided the risks have not changed
- Processing where the legal basis is a legal obligation or public task, and the relevant legislation already mandated a similar assessment
Use the ICO's screening checklist if you are unsure. The checklist helps you determine whether your processing is likely to be high risk and whether a full DPIA is needed. Even when a DPIA is not strictly required, the ICO recommends conducting one as good practice for any processing that could affect individuals.
Step-by-step DPIA process
Follow these steps to carry out a DPIA. The ICO provides a template you can use, but you are not required to follow a specific format. What matters is that your assessment is thorough and documented.
-
1. Screen using the ICO checklist
Use the ICO's screening checklist to confirm whether a full DPIA is needed. If you answer yes to any mandatory trigger, or yes to two or more of the additional criteria, you need a DPIA. Document this screening decision even if you conclude a DPIA is not required - the ICO may ask to see your reasoning.
-
2. Describe the processing
Set out exactly what you plan to do with personal data. Include: the nature of the processing (what operations), the scope (what data, how many people, geographic area), the context (your relationship with the individuals), and the purpose (why you are doing it). Be specific - vague descriptions will not support a meaningful risk assessment.
-
3. Assess necessity and proportionality
Explain why the processing is necessary for your stated purpose. Consider whether you could achieve the same outcome with less data or less intrusive processing. Confirm your lawful basis under Article 6 (and Article 9 condition if processing special category data). This step demonstrates you have considered alternatives and chosen the least privacy-intrusive approach.
-
4. Identify and assess risks to individuals
Consider what could go wrong for the individuals whose data you are processing: financial loss, identity theft, discrimination, reputational damage, loss of confidentiality, or significant inconvenience. For each risk, assess both the likelihood and the severity. Consider risks from data breaches, but also risks from the processing itself operating as intended (for example, profiling that could lead to unfair treatment).
-
5. Identify measures to mitigate risks
For each risk, decide what you will do to reduce it. Mitigation measures might include: encryption or pseudonymisation, access controls, staff training, data minimisation, shorter retention periods, transparency measures, allowing individuals to opt out, or changing the design of the processing. Record each measure alongside the risk it addresses and assess the residual risk after mitigation.
-
6. Record and sign off outcomes
Document your DPIA findings in a structured record: the description of processing, necessity assessment, each risk with its rating, mitigation measures, residual risk, and your decision on whether to proceed. The record should be approved by a senior decision-maker. If you have a DPO, record their advice and whether you followed it. Keep this record - the ICO can request to see it.
-
7. Consult the ICO if high risk remains
If your DPIA identifies a high risk that you cannot mitigate, you must consult the ICO before proceeding. The ICO has eight weeks to respond (extendable by six weeks for complex cases) and may advise you to change or stop the processing. Do not begin the processing until you have received the ICO's response. Proceeding without consultation when required is itself a breach of UK GDPR.
What to include in your DPIA
UK GDPR Article 35(7) sets out the minimum content. Your DPIA must contain:
- Systematic description of processing
- The nature, scope, context, and purposes of the processing operations and what personal data is involved
- Necessity and proportionality assessment
- Why the processing is necessary for the stated purpose, and why you cannot achieve the same outcome with less data or less intrusive means
- Risk assessment
- An assessment of the risks to individuals' rights and freedoms, considering both likelihood and severity of potential harm
- Mitigation measures
- The measures you will take to address risks, including safeguards, security measures, and mechanisms to demonstrate compliance
- Lawful basis
- Your lawful basis under Article 6 and, if applicable, the Article 9 condition for processing special category data
- DPO advice (if applicable)
- The views of your Data Protection Officer and whether you followed their advice
When processing involves special category data
If your proposed processing involves special category data, the risks to individuals are inherently higher. You need both a lawful basis under Article 6 and a separate condition under Article 9 to process this data at all. Your DPIA should specifically address the additional sensitivity and the extra protections you will put in place.
When your DPIA covers special category data, pay particular attention to:
- Whether consent is genuinely free - in employment or healthcare contexts, power imbalances may mean consent is not reliable
- Whether a less sensitive alternative exists - could you achieve your purpose without health data, biometric data, or other special categories?
- Enhanced security measures - stronger encryption, tighter access controls, and more rigorous staff training
- Appropriate policy document - required when relying on DPA 2018 Schedule 1 conditions
Reviewing and updating DPIAs
A DPIA is not a one-off exercise. You must keep it under review and update it when the nature, scope, context, or purposes of your processing change.
When to review
- Change in processing: You expand the data collected, change the purpose, share with new recipients, or use new technology
- New risks emerge: A data breach or new ICO guidance highlights risks you did not originally consider
- Significant time has passed: Review at least annually to confirm the processing still matches what you assessed
- Organisational changes: A merger, acquisition, or restructuring that changes who controls or processes the data
Compare the current processing against the original DPIA. If anything has changed materially, update the assessment, reassess risks, and record the updated outcome. If new high risks emerge that you cannot mitigate, you may need to consult the ICO again.
Common problems and how to avoid them
- Conducting a DPIA after processing has started: A DPIA must be carried out before processing begins. If you discover processing is underway without one, conduct the assessment immediately and consider pausing the processing until it is complete.
- Treating a DPIA as a tick-box exercise: The ICO will look at whether your assessment was meaningful and whether you acted on its findings. Generic risk assessments will not demonstrate compliance.
- Failing to involve the right people: Involve your DPO, IT and security teams, the business team proposing the processing, and (where proportionate) the individuals whose data will be processed.
- Not consulting the ICO when required: If your DPIA identifies a high risk you cannot reduce, ICO consultation is mandatory. Starting processing without it is a breach of Article 36.
Penalties
Failure to carry out a required DPIA, or to consult the ICO when required, falls under the standard tier of UK GDPR fines. This can result in a penalty of up to £8.7 million or 2% of annual worldwide turnover (whichever is higher).
Beyond fines, the ICO can issue enforcement notices requiring you to stop or change your processing. If you have proceeded with high-risk processing without a DPIA, the ICO may order you to cease the processing entirely until a proper assessment is completed.
What to do next
- Download the ICO's DPIA template to structure your assessment consistently
- Screen your current processing activities to identify any that should have had a DPIA but do not
- Build DPIA screening into your project planning so that new processing activities are assessed before they begin
- Keep a register of DPIAs with review dates to ensure they remain current
- Train relevant staff to recognise when a DPIA may be needed and to escalate to the right person