Knowledge Hub
for Growth


Data Protection Impact Assessments (DPIA)

If your business processes personal data, carrying out a Data Protection Impact Assessment (DPIA) is often a crucial step to meet your GDPR obligations.

A DPIA helps you identify and mitigate privacy risks, particularly in projects involving new technologies or the large-scale processing of sensitive information. Whether you're implementing a new CRM system, using profiling tools, or launching a new service, our experienced data protection solicitors can guide you through the DPIA process. We’ll help you determine when a DPIA is required, advise on its scope, and support you in documenting and mitigating any high-risk activities, ensuring your compliance is thorough, practical and defensible.

What is a Data Protection Impact Assessment? 

The Information Commissioner's Office (ICO) describes a Data Protection Impact Assessment as a process to help you identify and minimise the data protection risks of a project. 

It is a type of processing that would help businesses identify risks related to personal data processing. A DPIA would help towards demonstrating compliance in line with the accountability principle.  

When is a DPIA required? 

The GDPR states that a Data Protection Impact Assessment is required where a data controller is to process personal data that is 'likely to result in a high risk to the rights and freedoms of natural persons' (GDPR, Article 35). A good way to illustrate this is by introducing new technologies that would affect the rights and freedoms of individuals. This is highly likely if the new technologies involve: 

  1. Systematic and extensive profiling with significant effects 
  2. Large-scale use of sensitive data 
  3. Systematic monitoring of publicly accessible data on a large scale 

The ICO have further provided examples of processing that is 'likely to result in high risk'. 

For example, a DPIA would be required when introducing a Customer Relationship Management (CRM) system in a business. The CRM would manage interactions with customers, which in turn can hold a significant amount of personal data, including names, emails, addresses, dates of birth, and interests. A DPIA would help determine the risks associated with this process and the thought process involved in determining outcomes and making decisions. 

At times, it's pretty clear-cut where one is required. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is considered good practice and helpful in demonstrating compliance. After all, non-compliance would attract a penalty of the standard maximum amount of up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. 

What is usually included in a DPIA? 

The ICO website provides a sample template for a Data Protection Impact Assessment, outlining what should be included. However, there is no strict way to carry out a DPIA and what it should contain; the following is a non-exhaustive list: 

Provide a description of the processing 

  • What type of personal data will you be collecting? 
  • How will you be collecting, storing and or accessing the personal data? 
  • Who will have access rights to the personal data? 
  • Who will you share the personal data with and why? 
  • What technologies will you use for processing the data? 
  • What technical, administrative and organisational measures will you put in place to protect the personal data? 
  • The scope of the personal data and the number of data subjects associated with the said personal data 

Identify a legal basis 

  • Consultation – speak with relevant functions involved in the process, and in some instances, you may need to seek the views of the data subjects unless there is a good reason not to. A record must be made of this. 
  • Assess necessity and proportionality by identifying and evaluating the risks associated with your project. Depending on your risk scoring or outcomes, you need to document and establish your reasons for accepting any risk. 
  • Identify or introduce measures that will mitigate or eliminate risk. If you cannot mitigate high risk but wish to continue with your processing, then you must consult with the ICO. 
  • Recording decision making - include how you came to the decision and names and roles of those who were involved in the process. 
  • Review - the process needs to remain under review by testing its purposes against GDPR compliance. 

How we can support your DPIA obligations

With the financial and reputational risks of non-compliance continuing to rise, ensuring your DPIA process is robust and proportionate is more critical than ever. A clear, well-documented DPIA not only helps demonstrate accountability under GDPR but also builds trust with your stakeholders. If you’re unsure whether your data processing activities require a DPIA, or you need help assessing and managing the associated risks, our data protection solicitors can help. We are on hand to provide clear, practical support tailored to your business. We’ll work with you to ensure your data governance is secure, lawful and future-proof.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Belsyre Court, 57 Woodstock Road, Oxford, OX2 6HJ
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £149 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry