What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a structured process to identify and reduce privacy risks before you start a project that uses personal data. It supports the UK GDPR’s principle of accountability and data protection by design and by default (Article 25, Recitals 78 & 84).

In plain English, a DPIA is a privacy risk assessment. It helps you clarify what data you collect and why, how you will use and store it, what could go wrong for individuals, and what safeguards you will put in place.

The requirement sits in Article 35, UK GDPR, with enforcement and remedies under the Data Protection Act 2018 (DPA 2018).

Where the DPIA rules come from (UK GDPR, DPA 2018, WP29/EDPB, ICO)

  • UK GDPR: Retained EU law that includes DPIA duties in Article 35 (and related Recitals, notably 90 & 91). Consultation with the regulator appears in Article 36.
  • DPA 2018: Sets out the UK enforcement framework (e.g., powers of the ICO, remedies, and offences).
  • WP29 Guidelines (2017) → now EDPB: The former EU regulators (WP29) published authoritative Guidelines on DPIAs explaining how to assess “likely high risk” and what a good DPIA looks like. The ICO still treats these as helpful best practice for UK organisations.
  • ICO Guidance: The UK regulator’s DPIA guidance and checklists reflect WP29/EDPB thinking and add UK-specific expectations (e.g., examples of high-risk processing; what to send if you must consult the ICO).
  • Data (Use and Access) Act 2025: Amends UK data law in phases. Monitor updates, but the core DPIA duties in Articles 35–36 UK GDPR remain your starting point.

When is a DPIA required? (Article 35)

You must do a DPIA when the planned processing is likely to result in a high risk to individuals’ rights and freedoms (Article 35(1)). Article 35(3) gives three headline examples:

  1. Automated decision-making or profiling that produces legal or similarly significant effects.
  2. Large-scale processing of special category data (see Article 9(1)) or data about criminal convictions (Article 10).
  3. Systematic monitoring of publicly accessible areas on a large scale (e.g., extensive CCTV).

These examples are not exhaustive. If you are unsure whether the risk is “high”, the ICO’s practical advice is simple: do a DPIA anyway.

Examples of high-risk processing (WP29 & ICO)

The WP29 Guidelines say you should generally carry out a DPIA if your processing meets two or more of the following criteria (even one may be enough in some cases):

  • Evaluation or scoring (including profiling and prediction).
  • Automated decisions with legal or similarly significant effects.
  • Systematic monitoring (e.g., employee monitoring, public space monitoring).
  • Sensitive or highly personal data (including special category data under Article 9, or e.g., location/financial data).
  • Large-scale processing (many people, long duration, broad geographic scope).
  • Matching or combining datasets from different sources.
  • Data about vulnerable individuals (e.g., children, employees, patients, elderly).
  • Innovative technology or novel uses (e.g., AI, biometrics, tracking tech).
  • Processing that may prevent someone exercising a right or using a service.

The ICO adds UK-focused examples that are likely to need a DPIA, such as: large-scale profiling; data matching; using AI/ML; biometric or genetic data; invisible processing; geolocation tracking; targeting children or other vulnerable groups; and processing that could cause physical harm.

When a DPIA is not required

Under Article 35(1) & (5), a DPIA is not mandatory when:

  • The processing is unlikely to result in high risk.
  • The nature, scope, context and purposes are very similar to processing you already assessed in a DPIA.
  • The processing is authorised by law and already covered by a prior impact assessment.

The ICO has not (as at the date above) published a definitive “no DPIA needed” list. If you decide not to do a DPIA, record your reasoning.

Who is responsible? (Controller, DPO, Processor, Data subjects)

  • Controller (Article 35(1)): Responsible for ensuring a DPIA is completed before processing starts.
  • DPO (Articles 35(2), 37 & 39): If you have a DPO, you must seek their advice; record that advice and your decisions. The DPO should advise on necessity, method, risk mitigation, and whether processing can proceed.
  • Processor (Article 28(3)(f)): Must assist the controller with information needed for the DPIA.
  • Data subjects (Article 35(9)): Seek views where appropriate; if you decide not to, document why.

What a DPIA must include (Article 35(7))

  1. Description of processing and purpose (including nature, scope, context and purposes; Recital 90).
  2. Necessity and proportionality (is there a less intrusive way to achieve the purpose?).
  3. Risks to individuals (origin, nature, likelihood and severity; Recital 84).
  4. Measures to address risks (safeguards, security controls, and ways to demonstrate compliance).

Timing matters: carry out the DPIA before processing (Article 35(1); Recital 90). Treat it as a living document and keep it under review as your project evolves.

When to consult the ICO (Article 36)

If, after your DPIA, there remains a high residual risk that you cannot reduce, you must consult the ICO before proceeding (Article 36(1)).

Typically you will provide the DPIA, details of controllers/processors, processing purposes and methods, safeguards, and DPO contact details. The ICO usually responds within 8 weeks (up to 14 weeks for complex matters) with advice to approve, require changes, or prohibit the processing.

Penalties for non-compliance

Failure to carry out a required DPIA or to consult the ICO where necessary can lead to fines under Article 83(4), UK GDPR: up to £8.5 million or 2% of worldwide annual turnover (whichever is higher), alongside enforcement powers under the DPA 2018.

Practical steps for businesses

  • Create a clear DPIA policy and template aligned to Article 35 and ICO guidance.
  • Train product, IT, HR, marketing and operations teams to spot when a DPIA is needed.
  • Use a “DPIA-lite” for lower-risk projects to evidence accountability.
  • Document decisions when you conclude a DPIA is not required.
  • Review and update DPIAs when processing changes or when new risks emerge.
  • Consider whether to involve legal advisors where privilege or complex risk trade-offs arise.

Quick FAQs

Does WP29 still matter post-Brexit?

Yes, as best practice. WP29’s DPIA Guidelines (now under the EDPB) are not binding in the UK, but the ICO regularly aligns with them and they remain a useful reference for UK organisations.

What if our processing already started?

If risks and safeguards were previously assessed (e.g., a PIA), a new DPIA may not be required. But if the nature, scope, context or purposes have changed significantly, conduct or update a DPIA.

Do we have to publish our DPIA?

No. There is no duty to publish under UK GDPR, but publishing a redacted summary can build trust. Avoid disclosing commercially sensitive or security-sensitive details.

Important: This overview is for general guidance only and is not legal advice. For tailored advice on DPIAs under the UK GDPR and DPA 2018, please contact us.

Published by Fergus Thompson