A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.
The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.
Per the guidance you are required you to do a DPIA if you plan to:
- use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services
- profile individuals on a large scale
- process biometric or genetic data (in combination with any of the criteria from the European guidelines)
- match data or combine datasets from different sources
- collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”)
- track individuals’ location or behavior
- profile children or target marketing or online services at them
- process data that might endanger the individual’s physical health or safety in the event of a security breach.