What Does a UK GDPR-Compliant DPIA Actually Look Like?

by

in

,

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and reducing the data protection risks of a project before it goes ahead. It’s a legal requirement under UK GDPR for processing likely to result in high risk to individuals, and good practice well beyond that threshold. Here’s what a proper one actually contains.

When is a DPIA legally required?

Under Article 35 of UK GDPR, a DPIA is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons” – the ICO’s guidance gives examples including large-scale systematic monitoring, large-scale processing of special category data, and use of new technologies (which in practice now includes most AI deployments involving personal data). If you’re unsure whether a project meets the threshold, doing a brief screening assessment to check is itself good practice and takes far less time than the full DPIA.

What does the assessment actually cover?

A compliant DPIA works through:

  • A description of the processing – what data, from whom, for what purpose, and how long it’s kept
  • Necessity and proportionality – whether the processing is genuinely needed to achieve the purpose, and whether a less intrusive approach would work
  • Risk identification – what could go wrong, for whom, and how likely and severe that is
  • Mitigating measures – what controls reduce each identified risk, and whether they reduce it to an acceptable level
  • Sign-off – a documented decision to proceed, proceed with changes, or not proceed

Who needs to be involved?

The DPO (or equivalent) should advise on and review the DPIA – that’s a statutory requirement, not just good practice. Where the processing is genuinely novel or high-risk, seeking the views of the individuals affected, or their representatives, is expected where practicable. If the assessment identifies risk that can’t be adequately mitigated, UK GDPR requires prior consultation with the ICO before the processing goes ahead.

What’s the most common mistake?

Treating the DPIA as a compliance form to complete after the decision has already been made, rather than a genuine risk assessment carried out before it. A DPIA written to justify a project that’s already been signed off tends to read that way, and gives the organisation far less real protection if something does go wrong later.

If you’d like support carrying out or reviewing a DPIA, see our Data Protection advisory services.