Data Protection Impact Assessment Guidance Notes
When planning a new project that involves personal data, particularly one
which envisages a new use for that data or involves new technologies, a
Data Protection Impact Assessment (sometimes also referred to as a Privacy
Impact Assessment) is an important part of complying with the UK's data protection legislation (including the UK GDPR and the Data Protection Act 2018).
This document has been updated for compatibility with the UK GDPR and is ready for use from the start of 2021.
Data Protection Impact Assessments (DPIAs) are designed to help you map out
the data flows involved in a proposed project. What data will be collected?
How will you store it? How will you use it? On what lawful basis? Many
questions should be asked in order to determine whether your proposed use
of personal data is appropriate and proportionate, taking into account your
Risk assessment plays a central part in a DPIA. You should identify all
potential risks posed to individual data subjects (and indeed to your own
organisation) and assess the severity of those risks. Having done so, it is
important to consider and decide how you will mitigate them.
These Data Protection Impact Assessment Guidance Notes have been created as
an essential guide to the DPIA, setting out the key stages, and explaining
more about what you should do at each stage and why, drawing on guidance
from the ICO and from the European Data Protection Board (as published by
its predecessor, the Article 29 Working Party).
These Data Protection Impact Assessment Guidance Notes contain the
Part 1. What is a Data Protection Impact Assessment?
Part 2. When is a DPIA Required?
Part 3. Carrying Out a DPIA
Part 4. What’s Next?
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.