Skip to content
LegalVision UK

When Should My Business Run a Data Protection Impact Assessment?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

In Short

  • A Data Protection Impact Assessment (DPIA) helps identify and mitigate risks when processing personal data.
  • A DPIA is mandatory for high-risk activities, such as profiling or processing sensitive data.
  • The DPIA process ensures compliance with UK GDPR and protects individuals’ privacy rights.

Tips for Businesses

Always conduct a DPIA if your data processing activities may pose high risks, like large-scale profiling or using sensitive data. Document your findings and consult a lawyer to ensure compliance with UK GDPR. If unsure, it’s better to perform a DPIA than to risk non-compliance.

A Data Protection Impact Assessment (DPIA) is a crucial process for businesses that process personal data to understand, particularly when their processing risks individuals’ privacy. Under UK data protection law rules, organisations must perform a DPIA before undertaking any processing that may present specific privacy risks due to its nature, scope, or purpose. The UK ICO provides guidance to help businesses understand when a DPIA is necessary and how to comply with data protection requirements. This article explores when a company needs to run a DPIA and why. 

What is a DPIA?

A DPIA is a structured process that assesses how personal data processing activities might impact individuals’ privacy rights. It involves evaluating the potential risks associated with processing, including the nature, scope, context, and purpose of the data use.

The DPIA helps identify these risks, implement measures to mitigate them, ensure compliance with UK GDPR rules, and protect individuals’ rights.

When Do I Need to Carry Out a DPIA?

Under the UK GDPR, a DPIA is mandatory when processing personal data, which is likely to result in a high risk to individuals’ rights and freedoms. High risk refers to the potential for significant harm to individuals, including economic or social disadvantage. 

Here are some examples of when a DPIA is required (although this list is not exhaustive, and other types of processing may require a DPIA):

  • systematic and extensive evaluation: this involves automated processing, such as profiling, where decisions produce legal effects or similarly significant impacts on individuals;
  • large-scale processing of special category data: this applies to processing sensitive data such as health or biometric data or data related to criminal convictions; and
  • monitoring public spaces: this involves systematically monitoring publicly accessible areas on a large scale.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Examples

The ICO has identified various personal data processing situations that are likely to require a DPIA:

  • innovative technology: using new technologies or applying existing ones in novel ways, such as artificial intelligence, machine learning, or certain Internet of Things devices;
  • denial of service: decisions that concern an individual’s right to access a product, service, or benefit based on automated decision-making or involving special category data;
  • large-scale profiling: profiling individuals on a large scale;
  • biometric data: processing biometric data, like facial recognition or fingerprint scanning, especially when combined with other high-risk factors;
  • genetic data: handling genetic data other than by a GP or health professional for direct healthcare, particularly when combined with other high-risk criteria;
  • data matching: combining or matching personal data from different sources;
  • invisible processing: processing personal data that has not been obtained directly from the data subject, especially when providing privacy information is impossible or involves disproportionate effort;
  • tracking: processing that involves tracking an individual’s geolocation or behaviour, including online tracking, particularly when combined with other high-risk criteria;
  • targeting children or vulnerable individuals: using personal data of children or vulnerable individuals for marketing, profiling, or automated decision-making, or offering online services directly to children; and
  • risk of physical harm: processing that could lead to physical harm to individuals, such as processing social care data, which could result in significant harm if breached.

If you are uncertain about whether a DPIA is required, it is advisable to conduct one. This approach is good practice for managing potential risks in major projects involving personal data. 

How Does a DPIA Work?

A DPIA systematically identifies and manages data protection risks. It involves carefully describing the data processing activity, including its scope, purpose, and data type. You must then assess the necessity and proportionality of the processing and evaluate potential risks to individuals’ rights and freedoms, considering both the likelihood and severity of possible harm. Your business may need to implement measures to mitigate or eliminate the risks, such as encryption, access controls, or consent mechanisms. 

You should document the DPIA outcomes, including identified risks and the actions to address them, to demonstrate compliance with the UK GDPR. If high risks remain, you should consult the ICO before processing.

How Can a Data Protection Lawyer Help You With a DPIA?

Understanding when and how to run a compliant DPIA can be complex and confusing. A data protection lawyer can guide you through the DPIA process, ensuring your business complies with UK GDPR requirements. They can help you determine when a DPIA is necessary, identify and assess specific risks in your data processing activities, and help you consider the best ways to mitigate those risks. 

A lawyer can also assist in documenting the DPIA accurately and provide ongoing support to review and update it, especially if new risks emerge or your data processing activities change. If high risks are identified that cannot be mitigated, they can guide you through the process of consulting the ICO

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Conducting a DPIA is a legal requirement for high-risk data processing activities under the UK GDPR. This process helps identify and mitigate risks, ensuring compliance with data protection laws and protecting individuals’ rights. The ICO’s guidance highlights several scenarios where a DPIA is mandatory, although businesses should be prepared to conduct one whenever there is uncertainty about the risks involved. Working with a data protection lawyer can give you comfort and ensure that your DPIA is thorough and compliant, helping you manage risks effectively and demonstrate accountability.

If you need advice on a DPIA, our experienced data, privacy and IT lawyers can assist. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

What is a DPIA?

A DPIA is a process that helps businesses identify and mitigate risks associated with processing personal data, particularly when the processing could pose a high risk to individuals’ privacy.

When must my business conduct a DPIA?

You must conduct a DPIA when engaging in high-risk data processing activities, such as using innovative technologies, large-scale profiling, processing sensitive data, or tracking individuals’ behaviour.

Register for our free webinars

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

| View profile

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

3 Key UK GDPR Considerations for Private Education Providers

4 Common Challenges Your Company Will Face With the GDPR in the UK

Am I a Data Controller or Data Processor Under the UK GDPR?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards