Data protection impact assessment (DPIA)

Find out what a data protection impact assessment (DPIA) is, when it must be done and who should be involved. Download and adapt our DPIA template to save you time.

Last reviewed on 26 March 2024
School types: AllSchool phases: AllRef: 34261
  1. What is a data protection impact assessment?
  2. When do we need a DPIA?
  3. Who should be involved in the DPIA?
  4. How to carry out a DPIA
  5. Download our template

What is a data protection impact assessment?

A data protection impact assessment (DPIA) is part of your accountability requirements under the UK GDPR. It's a process that helps you:

  • Thoroughly analyse your data processing
  • Identify and minimise data protection risks
  • Comply with accountability obligations under the UK GDPR 
  • Assess and demonstrate how you comply with all of your data protection obligations

Even if you outsource your DPIA, e.g. to a relevant data processor, you remain responsible for it.

The Information Commissioner's Office (ICO) recommends that you provide staff training on DPIAs. Not every staff member will need to know about them, but make sure that anyone responsible for making decisions on data processing knows when to conduct a DPIA and how to do it.

When do we need a DPIA?

Deciding if you

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.