What is a Data Protection Impact Assessment?

A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.

  • When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. A DPIA should be signed off by an organisation’s Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).
  • A DPIA has to be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing.
  • The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).