Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.

The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.

Per the guidance you are required you to do a DPIA if you plan to:

  • use innovative technology (in combination with any of the criteria from the European guidelines);
  • use profiling or special category data to decide on access to services
  • profile individuals on a large scale
  • process biometric or genetic data (in combination with any of the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”)
  • track individuals’ location or behavior
  • profile children or target marketing or online services at them
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Read the full guidance.