February 25, 2024
Approx 9 min read

What is a Data Protection Impact Assessment (DPIA)?

Written by
The Naq Team

Conducting a Data Protection Impact Assessment (DPIA) is not only a legal obligation under the GDPR and UK-GDPR, but it is now becoming an essential requirement in securing contracts with enterprises, governments, and organisations operating in heavily regulated sectors. This growing demand for security and compliance documentation reflects the increasing expectation for suppliers to take a proactive approach to information security and ensure the security of their customer's data.

In this guide, we'll delve into the world of DPIAs: what they are, when they need to be carried out, and the vital information you'll need to perform them effectively and demonstrate your organisation's compliance.

What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organisations identify, manage and minimise the risks associated with their data processing activities. It is a key component of compliance with the GDPR, UK-GDPR and an increasing number of global data protection legislation, including the California Privacy Rights Act, Canada's PIPEDA, and the Australian Privacy Principles (APP).

The main objective of conducting a Data Protection Impact Assessment (DPIA) is to analyse the potential risks and consequences of an organisation's data processing activities on the individuals whose data is being processed. In other words, it prompts organisations to consider the question:

"How might this new thing we're doing/building affect the privacy of the people whose data we're using?”

Organisations must conduct Data Protection Impact Assessments (DPIAs) at the outset of any project or new data processing activity likely to pose a high risk to individual's rights and freedoms - more on this a little later. 

By conducting a DPIA beforehand, organisations can ensure that privacy risks are identified and addressed before any data processing takes place. This process not only ensures compliance with the GDPR and UK-GDPR but also ensures that any projects, activities, and solutions are implemented with information security in mind from the outset instead of being added at the end as an afterthought. This approach of building solutions and implementing projects with security in mind is known as "Privacy by Design" and is a mandatory requirement of the GDPR and is now increasingly being adopted by UK government departments such as the NHS, MOD and the Department for Education as a requirement for their suppliers.

Who needs to carry out a Data Protection Impact Assessment (DPIA)?

Figuring out who needs to do a DPIA is more about the ‘what’ rather than the 'who'. It doesn't really matter who you are or what sector you're in; it's all about what kind of data you're handling.

The GDPR and the UK-GDPR require organisations to carry out a DPIA when a new project or activity is likely to result in a "High Risk" to the individuals whose data is being processed. It's important to note that "High Risk" isn't just a reference to how likely it is that the data will be lost or get into the wrong hands. It's also about the scale of the fallout if something goes awry. 

Take medical information as an example. Even if the chances of such sensitive data being compromised might be low, the stakes are incredibly high. Should medical information be mishandled or accessed without authorisation, the consequences for the individuals involved could be profound.

Under the UK and EU GDPR, there are three types of data processing activities which are considered “High Risk” and automatically require a DPIA:

  1. Systematic and extensive profiling: This applies to systems that process large amounts of information to make automated decisions, for example, credit checks, mortgage applications, and bank loans, all of which have a significant legal effect on an individual. 
  2. Large-scale use of sensitive data: This applies to any activity which processes a large scale of "special category data", including but not limited to health, genetic or biometric data, information on racial or ethnic origin and children's data. You can find a complete list of what counts as special category data on the ICO website.
  3. Public monitoring: This applies to the monitoring of publicly accessible places, for example, CCTV monitoring.

There are several additional data processing activities for which a DPIA is also strongly recommended:

  • Handling data concerning vulnerable individuals.
  • Routine collection of sensitive personal information.
  • Processing data about children or data of a highly personal nature, such as political views.
  • Introducing processes that could limit someone's rights or access to services.
  • Implementing new or novel tech solutions, including AI, machine learning, wearables, IoT gadgets, and biometric scanning.

It's important to note that 'innovative' here isn't limited to just the latest tech. Depending on its scope, even implementing something as standard as CCTV can trigger the need for a DPIA. 

When deciding whether to conduct a DPIA for your project, it's always better to be safe than sorry. If you have any doubts, it's recommended that you carry out a DPIA to ensure that you're aligned with the 'privacy by design' principles of UK-GDPR and to identify any potential security risks that may arise from your project. 

Naq automates compliance with the UK and Europe's most in-demand frameworks, including GDPR, Cyber Essentials ISO 27001 and industry-specific standards like NHS DSPT, DTAC, ISO 13485 and MOD DART.

Our platform and compliance support take the guesswork out of compliance, giving you peace of mind that your organisation and solutions are compliant and ensuring you know exactly what to do to keep them that way.

Find out more.

How to conduct a DPIA:

There is no universal template for creating a Data Protection Impact Assessment (DPIA) since the requirements may differ depending on your processing activities, whether it is requested by your client or needed to comply with a particular framework. However, DPIAs usually consist of the following components:

  • A description of the project or activity and why a DPIA has been deemed necessary
  • A detailed description of the proposed data processing activity, including the nature, scope, context and the purpose of the data processing.
  • An assessment of the necessity of the data processing.
  • Assess any identifiable risks and their severity.
  • The actions that will be taken to mitigate these risks
  • Further reviews

Let's dive into each of these elements in detail:

1. A description of the project or activity and why a DPIA has been deemed necessary

You'll need to describe, in broad terms, the overarching objectives of your project or activity, the type of data processing involved and why you have identified the need for a DPIA. As mentioned earlier, projects that involve processing a substantial amount of personal data or handling "special category" data – such as health information, racial or ethnic origin, or biometric data – require a DPIA. If you're still unsure, you can use this ICO checklist as a helpful guide.

In instances where you decide that a DPIA is not required, it's essential to document this decision thoroughly, along with the reasons behind it. Keeping a record of this justification not only ensures transparency but also ensures you maintain compliance with the GDPR and UK GDPR.

2. A detailed description of the proposed data processing activity, including the nature, scope, context and the purpose of the data processing 

The core of your Data Protection Impact Assessment (DPIA) involves an in-depth description of the data processing activities tied to your project. This section is usually divided into four key areas: the nature, scope, context and the purpose of your data processing activities. 

This table serves as a guide for addressing each section in detail, ensuring that all aspects of data processing have been considered in your DPIA:

3. An assessment of the necessity of the data processing

The purpose of this segment in your Data Protection Impact Assessment (DPIA) is to thoroughly evaluate whether processing this data is necessary to achieve the objectives of your project or activity. 

You'll need to outline how processing the data is crucial for meeting your project's objectives. You'll also need to assess whether there are any other viable methods to achieve the same outcomes without processing the data. Even if the conclusion is that no feasible alternatives exist, it is essential to document this process and include it within your DPIA. 

Looking for an easier way to complete your DPIAs? Naq's platform acts as your source of truth for your organisation's compliance and information security, giving you clear insights into how your data processing activities align with compliance standards and quick access to the information you need to complete your DPIAs at speed.

Leverage the power of automated risk assessments, seamless compliance management, and expert support all in one platform with Naq. Learn more. 

4. Assess any identifiable risks and their severity.

The next crucial step in your Data Protection Impact Assessment involves objectively evaluating the potential risks associated with your data processing activities and their impact on individuals whose data you're processing. It's important to note that risks are not limited to cyber-security threats, such as ransomware attacks, but also encompass data being accidentally deleted by an organisation's systems, the accuracy of this data being compromised and privacy-specific risks, such as the risk that a data subject cannot exercise their rights under the GDPR or the loss of control over personal data.

Your assessment should comprehensively identify all the risks associated with your processing activities, their likelihood and an evaluation of the potential consequences of these risks, taking into account their severity.

As part of your evaluation, you must consider whether your processing activities could lead to:

  • discrimination
  • identity fraud
  • financial loss
  • reputational damage
  • inability to access services or opportunities;
  • loss of control over the use of personal data;

An effective and straightforward approach to evaluating your risks is using a risk matrix. This tool enables you to systematically analyse each identified risk by assessing its severity and likelihood. By visually plotting these risks on a matrix, you gain a clearer perspective on their overall impact, allowing you to prioritise them effectively:

5. Outline the actions that will be taken to mitigate these risks

Once you've identified the risks associated with your data processing activities, the next step is to outline the measures you'll implement to mitigate or reduce these risks. The specific actions will depend on the nature of your project and can range from opting not to process certain types of data to narrowing the scope of your project. Additional measures might include:

  • Implementing advanced cyber security tools.
  • Providing staff data security awareness training.
  • Developing internal policies and guidelines to help lower risk levels.

It's essential to record the expected effectiveness of the measures you choose. Will they eliminate, reduce, or accept the risk in cases where no mitigation is possible? Bear in mind that it's often unrealistic to completely eradicate all risks. The goal of this exercise is to ensure you have thoroughly considered and addressed the risks involved in processing data for your project.

Complete your DPIA by detailing any further measures your organisation plans to implement for risk reduction. Be sure to document these actions and note any residual risks that remain post-implementation.

Once you've completed your Data Protection Impact Assessment, it's crucial to integrate it as a living document as your project develops. You should regularly review your DPIA, especially when the scope of your project changes or new data processing activities take place. Doing so will ensure you are reviewing and mitigating any emerging risks, keeping up with any legislative changes and ensuring your organisation's risk management measures are up to date.

Naq makes completing DPIAs easier than ever before. Our automated platform brings together all your risks, assets, suppliers, and compliance frameworks to simplify the generation of your Data Protection Impact Assessments and Data Protection Agreements, backed by support from our compliance experts if you need it. Book a demo to find out more.