The GDPR places considerable importance on taking a ‘data protection by
design’ approach when it comes to using personal data. In simple terms,
this means that whenever you use personal data, privacy and data protection
should be key considerations from the very beginning.
A Privacy Impact Assessment, now known (inevitably by a longer name) as a
Data Protection Impact Assessment, is a valuable tool in this regard.
The purpose of a PIA or DPIA is to document the identification of privacy
risks in a project, the proposed solutions, the evaluation of those
solutions, the agreed solutions, and the integration of those solutions
into the overall project plan. Ideally, risks will be eliminated or
significantly minimised, allowing the project to proceed unhindered and
protecting the rights of individuals.
Do I Need to do a Privacy Impact Assessment?
Officially, that depends. The GDPR has three criteria to determine whether
or not a PIA (DPIA) is required. The ICO bulks this up somewhat with a
In many cases, as is clear from these lists, it may not be strictly necessary
for many SMEs to carry out an assessment. However, it is still good practice. You will be bound by
the GDPR’s requirements (and threatened with its penalties) whenever you
use any personal data for any purpose. By baking-in solutions to potential
privacy problems from the word go, you are taking a much safer approach to
Under the GDPR, you must carry out a PIA if you plan to:
- Carry out systematic and extensive profiling that will have significant
- Process sensitive personal data (or data about criminal offences) on a
large scale; or
- Systematically monitor public spaces on a large scale.
Under the ICO’s list, you must carry out a PIA if you are:
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’
access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without
providing the individual with a privacy notice (known as ‘invisible
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety
if a security breach occurs.
New Privacy Impact Assessment Template
To get you started in the right way (the GDPR way!) we have published a new
Privacy Impact Assessment template which will assist in documenting the
information flows, privacy risks, proposed solutions, the evaluation of
those solutions, and the integration of the agreed solutions into your
In addition, the template comes pre-loaded with a number of common privacy
risks and possible solutions. It is vital, however, that these are just
your starting point. Assess carefully the potential risks in your project,
adding them and their solutions to the relevant parts of the form. A
Privacy Impact Assessment is not something to be taken lightly, especially
if you do meet one of the GDPR or ICO criteria. If in doubt, consult the
ICO, and also note that if you cannot find a suitable solution to a privacy
risk, the ICO must be consulted before you proceed.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific