A data protection impact assessment (DPIA) is a process for systematically analysing how a proposed data processing activity could affect individuals' privacy. Under UK GDPR Article 35, you must carry out a DPIA before beginning any processing that is likely to result in a high risk to people's rights and freedoms.

DPIAs help you identify privacy risks early, build data protection into your processes from the start, and demonstrate to the ICO that you have considered the impact on individuals.

Who is responsible

As the data controller, you are responsible for carrying out the DPIA. This applies whether you process data yourself or use a data processor on your behalf. If you have a Data Protection Officer (DPO), you must seek their advice, but the final accountability sits with you. If you use joint controllers or processors, involve them in the assessment.

When a DPIA is required

UK GDPR Article 35 sets out specific circumstances where a DPIA is mandatory. You must also consider whether any processing you carry out meets the ICO's additional criteria for high-risk processing.

When a DPIA is required (mandatory triggers)

The circumstances under UK GDPR Article 35 that require a Data Protection Impact Assessment before processing begins.

Under UK GDPR Article 35, you must carry out a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to individuals' rights and freedoms.

Mandatory trigger 1: Systematic and extensive profiling: Automated processing including profiling that produces legal effects or similarly significant effects on individuals
Mandatory trigger 2: Large-scale special category data: Large-scale processing of special category data (health, race, religion, sexual orientation, biometrics, etc.) or criminal offence data
Mandatory trigger 3: Large-scale public monitoring: Systematic monitoring of a publicly accessible area on a large scale (e.g. large-scale CCTV)
Mandatory trigger 4: Innovative technology: Use of new technologies where the impact on individuals is not yet fully understood
Mandatory trigger 5: ICO published list: Any processing that appears on the ICO's published list of processing operations requiring a DPIA

ICO’s additional criteria (two or more may trigger a DPIA)

Evaluation or scoring (including profiling and predicting)
Automated decision-making with legal or significant effect
Systematic monitoring
Sensitive data or data of a highly personal nature
Data processed on a large scale
Matching or combining datasets
Data concerning vulnerable individuals (children, employees, patients)
Innovative use or applying new technological or organisational solutions
Processing that prevents individuals from exercising a right or using a service or contract

If your processing meets two or more of these criteria, you are very likely to need a DPIA.

ICO consultation: Must consult the ICO before processing if the DPIA identifies a high risk that you cannot mitigate
Penalty for not conducting a required DPIA: Up to £8.7 million or 2% of annual worldwide turnover
Legislation: UK GDPR Article 35

ICO DPIA guidance

When a DPIA is not required

Not every data processing activity needs a DPIA. You are unlikely to need one for:

Routine processing that is well-established and low risk (for example, standard payroll processing for a small team)
Processing that is very similar to something already assessed in a previous DPIA, provided the risks have not changed
Processing where the legal basis is a legal obligation or public task, and the relevant legislation already mandated a similar assessment

Use the ICO's screening checklist if you are unsure. The checklist helps you determine whether your processing is likely to be high risk and whether a full DPIA is needed. Even when a DPIA is not strictly required, the ICO recommends conducting one as good practice for any processing that could affect individuals.

Step-by-step DPIA process

Follow these steps to carry out a DPIA. The ICO provides a template you can use, but you are not required to follow a specific format. What matters is that your assessment is thorough and documented.

1

1. Screen using the ICO checklist

Use the ICO's screening checklist to confirm whether a full DPIA is needed. If you answer yes to any mandatory trigger, or yes to two or more of the additional criteria, you need a DPIA. Document this screening decision even if you conclude a DPIA is not required - the ICO may ask to see your reasoning.
2

2. Describe the processing

Set out exactly what you plan to do with personal data. Include: the nature of the processing (what operations), the scope (what data, how many people, geographic area), the context (your relationship with the individuals), and the purpose (why you are doing it). Be specific - vague descriptions will not support a meaningful risk assessment.
3

3. Assess necessity and proportionality

Explain why the processing is necessary for your stated purpose. Consider whether you could achieve the same outcome with less data or less intrusive processing. Confirm your lawful basis under Article 6 (and Article 9 condition if processing special category data). This step demonstrates you have considered alternatives and chosen the least privacy-intrusive approach.
4

4. Identify and assess risks to individuals

Consider what could go wrong for the individuals whose data you are processing: financial loss, identity theft, discrimination, reputational damage, loss of confidentiality, or significant inconvenience. For each risk, assess both the likelihood and the severity. Consider risks from data breaches, but also risks from the processing itself operating as intended (for example, profiling that could lead to unfair treatment).
5

5. Identify measures to mitigate risks

For each risk, decide what you will do to reduce it. Mitigation measures might include: encryption or pseudonymisation, access controls, staff training, data minimisation, shorter retention periods, transparency measures, allowing individuals to opt out, or changing the design of the processing. Record each measure alongside the risk it addresses and assess the residual risk after mitigation.
6

6. Record and sign off outcomes

Document your DPIA findings in a structured record: the description of processing, necessity assessment, each risk with its rating, mitigation measures, residual risk, and your decision on whether to proceed. The record should be approved by a senior decision-maker. If you have a DPO, record their advice and whether you followed it. Keep this record - the ICO can request to see it.
7

7. Consult the ICO if high risk remains

If your DPIA identifies a high risk that you cannot mitigate, you must consult the ICO before proceeding. The ICO has eight weeks to respond (extendable by six weeks for complex cases) and may advise you to change or stop the processing. Do not begin the processing until you have received the ICO's response. Proceeding without consultation when required is itself a breach of UK GDPR.

What to include in your DPIA

UK GDPR Article 35(7) sets out the minimum content. Your DPIA must contain:

Systematic description of processing

The nature, scope, context, and purposes of the processing operations and what personal data is involved

Necessity and proportionality assessment

Why the processing is necessary for the stated purpose, and why you cannot achieve the same outcome with less data or less intrusive means

Risk assessment

An assessment of the risks to individuals' rights and freedoms, considering both likelihood and severity of potential harm

Mitigation measures

The measures you will take to address risks, including safeguards, security measures, and mechanisms to demonstrate compliance

Lawful basis

Your lawful basis under Article 6 and, if applicable, the Article 9 condition for processing special category data

DPO advice (if applicable)

The views of your Data Protection Officer and whether you followed their advice

When processing involves special category data

If your proposed processing involves special category data, the risks to individuals are inherently higher. You need both a lawful basis under Article 6 and a separate condition under Article 9 to process this data at all. Your DPIA should specifically address the additional sensitivity and the extra protections you will put in place.

Special category data processing conditions (Article 9)

The conditions under UK GDPR Article 9 and DPA 2018 Schedule 1 that permit processing of special category personal data.

Special category data is personal data that is more sensitive and needs more protection. Processing is prohibited under UK GDPR Article 9(1) unless you can identify both a lawful basis under Article 6 AND a separate condition under Article 9(2).

Special categories include: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data, sex life or sexual orientation
(a) Explicit consent: Individual has given explicit consent for specified purposes
(b) Employment, social security, social protection: Processing necessary for employment, social security, or social protection obligations under law
(c) Vital interests: Processing necessary to protect life where individual cannot give consent
(d) Not-for-profit bodies: Processing by a body with political, philosophical, religious, or trade union aims, relating to its members
(e) Made public by data subject: Data has been manifestly made public by the individual
(f) Legal claims: Processing necessary for establishing, exercising, or defending legal claims
(g) Substantial public interest: Processing necessary for reasons of substantial public interest, with an appropriate policy document (DPA 2018 Schedule 1 conditions)
(h) Health or social care: Processing necessary for health or social care purposes, managed by a professional with duty of confidentiality
(i) Public health: Processing necessary for public health reasons (e.g. cross-border health threats)
(j) Archiving, research, statistics: Processing necessary for archiving in the public interest, scientific/historical research, or statistical purposes

DPA 2018 Schedule 1 conditions

For conditions (b), (g), (h), (i), and (j), the DPA 2018 Schedule 1 specifies additional UK-specific conditions. These include 23 substantial public interest conditions covering areas such as:

Preventing or detecting unlawful acts
Protecting the public against dishonesty
Safeguarding of children and vulnerable adults
Insurance purposes
Occupational pensions
Equal opportunity and anti-discrimination monitoring

An appropriate policy document is required when relying on most Schedule 1 conditions.

ICO guide to special category data

Reviewing and updating DPIAs

A DPIA is not a one-off exercise. You must keep it under review and update it when the nature, scope, context, or purposes of your processing change.

When to review

Change in processing: You expand the data collected, change the purpose, share with new recipients, or use new technology
New risks emerge: A data breach or new ICO guidance highlights risks you did not originally consider
Significant time has passed: Review at least annually to confirm the processing still matches what you assessed
Organisational changes: A merger, acquisition, or restructuring that changes who controls or processes the data

Compare the current processing against the original DPIA. If anything has changed materially, update the assessment, reassess risks, and record the updated outcome. If new high risks emerge that you cannot mitigate, you may need to consult the ICO again.

Common problems and how to avoid them

Conducting a DPIA after processing has started: A DPIA must be carried out before processing begins. If you discover processing is underway without one, conduct the assessment immediately and consider pausing the processing until it is complete.
Treating a DPIA as a tick-box exercise: The ICO will look at whether your assessment was meaningful and whether you acted on its findings. Generic risk assessments will not demonstrate compliance.
Failing to involve the right people: Involve your DPO, IT and security teams, the business team proposing the processing, and (where proportionate) the individuals whose data will be processed.
Not consulting the ICO when required: If your DPIA identifies a high risk you cannot reduce, ICO consultation is mandatory. Starting processing without it is a breach of Article 36.

Penalties

Failure to carry out a required DPIA, or to consult the ICO when required, falls under the standard tier of UK GDPR fines. This can result in a penalty of up to £8.7 million or 2% of annual worldwide turnover (whichever is higher).

Beyond fines, the ICO can issue enforcement notices requiring you to stop or change your processing. If you have proceeded with high-risk processing without a DPIA, the ICO may order you to cease the processing entirely until a proper assessment is completed.

What to do next

Download the ICO's DPIA template to structure your assessment consistently
Screen your current processing activities to identify any that should have had a DPIA but do not
Build DPIA screening into your project planning so that new processing activities are assessed before they begin
Keep a register of DPIAs with review dates to ensure they remain current
Train relevant staff to recognise when a DPIA may be needed and to escalate to the right person

ICO DPIA guidance and template

Official guidance and legislation

Data protection impact assessments (DPIAs) - ICO (opens in a new tab) ico
ICO DPIA screening checklist (opens in a new tab) ico
UK GDPR Article 35 - Data protection impact assessment (opens in a new tab) legislation.gov.uk
UK GDPR Article 36 - Prior consultation (opens in a new tab) legislation.gov.uk
Data Protection Act 2018 (opens in a new tab) legislation.gov.uk
Data protection and your business (GOV.UK) (opens in a new tab) gov.uk

Carry out a data protection impact assessment (DPIA)

Data protection annual compliance checklist

NHS Data Security and Protection Toolkit compliance

Data protection and CCTV for hospitality businesses

Data protection for retail businesses

Data protection for healthcare providers

Who is responsible

When a DPIA is required

When a DPIA is not required

Step-by-step DPIA process

1. Screen using the ICO checklist

2. Describe the processing

3. Assess necessity and proportionality

4. Identify and assess risks to individuals

5. Identify measures to mitigate risks

6. Record and sign off outcomes

7. Consult the ICO if high risk remains

What to include in your DPIA

When processing involves special category data

Reviewing and updating DPIAs

When to review

Common problems and how to avoid them

Penalties

What to do next

Official guidance and legislation

Related guides in Compliance & Legal

Data protection annual compliance checklist

NHS Data Security and Protection Toolkit compliance

Data protection and CCTV for hospitality businesses

Data protection for retail businesses

Data protection for healthcare providers

Who is responsible

When a DPIA is required

When a DPIA is not required

Step-by-step DPIA process

1. Screen using the ICO checklist

2. Describe the processing

3. Assess necessity and proportionality

4. Identify and assess risks to individuals

5. Identify measures to mitigate risks

6. Record and sign off outcomes

7. Consult the ICO if high risk remains

What to include in your DPIA

When processing involves special category data

Reviewing and updating DPIAs

When to review

Common problems and how to avoid them

Penalties

What to do next

Official guidance and legislation