Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) are a core part of data protection methodology. As the ICO states:

A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. 

You must do a DPIA for certain types of processing, or any other processing that is likely to result in a high risk to individuals. 
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:
  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and,
  • identify any additional measures to mitigate those risks.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. The high risk could result from either a high probability of some harm, or a lower possibility of serious harm. 

You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.

Many of these aspects of the processing definition are required in a record of processing, so DPE (with a risk-based approach to data protection) uses the same tool to assess risk across existing and new processes.

We also use multiple sources for the definitions and approach we take, including the Information Commissioner's Office (, Data Protection Commission of Ireland (, the European Data Protection Board ( and the French Commission Nationale de l'Informatique et des Libertés ( However, our predominant methodology is provided by CNIL, mostly due to it's more thorough nature than that provided by the ICO.

We will be holding a series of webinars on risk and DPIAs, which will be available in the events section of the Knowledge Bank, or available for download from the best practice area. 

This is a recording of the presentation by James England covering: 

  • What is a Data Protection Impact Assessment?
  • When is one needed, and why?
  • Who does it?
  • How do we do it?
  • How do we document it and assess the risk?
  • Corporate Governance and data protection risk management


Have a question about Data Protection Impact Assessments? Ask it here.

Invalid Input
©2020 Data Protection Education Ltd.