Data Protection Impact Assessment (Short Form)
Data Protection Impact Assessments are an important part of data protection compliance, particularly the data protection by design and default approach advocated by the UK's data protection legislation (including the UK GDPR and Data Protection Act 2018). When a project is likely to result in a high risk to the individuals whose personal data will ultimately be involved, the law requires that you carry out a DPIA. Even when a DPIA is not legally required, it is still a useful exercise when planning a project that will involve the use of personal data.
In simple terms, a DPIA helps you to identify and minimise the risks associated with personal data and data protection in your project. Not only should you identify the risks themselves, but also the likelihood and severity of them.
It is vitally important to note that a DPIA is a serious exercise. If a high risk is identified that cannot be mitigated satisfactorily, you must consult with the Information Commissioner’s Office before starting to process personal data for the relevant purpose or purposes.
This template is a shorter and simpler version of our Data Protection Impact Assessment and is designed to be more open and flexible while still following the criteria set out in the UK GDPR. Rather than setting out a prescriptive set of granular questions under every heading, many sections in this DPIA template simply set out the key issues to be considered, enabling you to tailor the DPIA to your project more easily.
You must carry out a DPIA if you plan to:
- Carry out systematic and extensive profiling that will have significant effects;
- Process sensitive personal data (or data about criminal offences) on a large scale; or
- Systematically monitor public spaces on a large scale.
These may well not apply to many small businesses, but the Information
Commissioner’s Office (ICO) has additional criteria that call for a
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’ access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without providing the individual with a privacy notice (known as ‘invisible processing’);
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety if a security breach occurs.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Protection Impact Assessment (Short Form) contains the following sections:
1. Project Summary
2. Is a DPIA Required?
4. Necessity and Proportionality
6. Solutions to Identified Risks
7. Approved Solutions
8. Integration of DPIA Outcomes into Project Plan
9. Approval and Sign-Off
This Data Protection Impact Assessment (Short Form) is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.