A Data Protection Impact Assessment (DPIA) is a legal requirement under Article 35 of the UK GDPR when the processing of personal data is likely to result in a high risk to individuals’ rights and freedoms. It’s not just best practice or a “nice to have” to carry out a DPIA, but a statutory obligation that helps organisations identify and reduce privacy risks before they arise. Failing to carry out DPIAs can expose your organisation to regulatory action, reputational damage, and unnecessary risk.
When is a DPIA required?
High-risk processing often includes, for example:
- Handling special category data (for example, health, biometric, criminal records).
- Large-scale profiling or automated decision-making.
- Processing involving vulnerable individuals, such as children or those with limited understanding or an ability to exercise their rights.
- Introducing new technologies or changing how personal data is used.
If you’re unsure whether your processing is likely to result in high-risk processing, it’s better to check early. The cost of getting it wrong can be significant.
Organisations should actively consider carrying out DPIAs (even if they do not, on the face of it, perceive the processing is likely to result in “high risk” processing) whenever there is a change in the nature, scope, context or purpose of processing personal data, when introducing a new type of personal data to their processing activities, if there are any changes to how the data is being processed or there is a change in law relating to the processing of personal data.
Consequences of failing to carry out a DPIA
Failing to carry out a DPIA when required can lead to enforcement by the ICO, including fines. Beyond regulatory risk, poor data governance can damage trust and lead to complaints, litigation, and reputational harm.
Why does doing an accurate DPIA matter?
A well-prepared DPIA helps you:
- Understand and justify the necessity and proportionality of your processing.
- Identify risks to individuals and implement safeguards.
- Demonstrate compliance and accountability to regulators and stakeholders.
It’s also an opportunity to strengthen your organisation’s governance and resilience in an increasingly data-driven environment. It therefore goes beyond a compliance exercise; it’s a strategic tool for building trust, demonstrating accountability, and embedding privacy into the design of your organisation’s operations.
It is considered best practice to periodically review your DPIAs (for example, annually) to ensure they remain accurate and reflect any changes in processing activities.
How can we help?
Cathy Clark is a Legal Director in our Commercial & IP team, specialising in commercial work (including contract drafting and advice).
For more information on the subjects discussed in this article, please contact Cathy or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us.