Skip to content
All posts

What are Data Protection Impact Assessments?

Public sector organisations store and deal with highly personal information and data from the public.

So, why would we want to risk losing it or allowing it to get into the wrong hands? 

Although the General Data Protection Regulation (GDPR) hasn't significantly changed since 2018, it's still the biggest and most important regulation all organisations that target or collect data related to people in the EU have to follow.

So, where do data protection impact assessments come in?

Person using a laptop to write a data protection impact assessment

What are Data Protection Impact Assessments (DPIA)?

Also known as privacy impact assessments or PIA, they are essentially risk assessments detailing how organisations will process the personal data they hold. They have been designed as an early warning process for potential threats to operations.

The Information Commissioner's Office has long championed the process as a key part of its privacy-by-design strategy. Furthermore, whilst DPIAs are not a new concept, the importance of GDPR places greater significance on their use - especially since DPIAs are now a mandatory requirement in certain circumstances.

Data compliance blog pillar page link

When Should I Conduct a DPIA?

You must carry out a DPIA when:

  • Using new technologies
  • The processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • Systematic and extensive processing activities, including profiling and decisions that have legal effects – or similarly significant effects – on individuals.
  • Large-scale processing of special categories of data or personal data in relation to criminal convictions or offences. This includes processing a considerable amount of personal data at a regional, national or supranational level that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity
  • Large-scale systematic monitoring of public areas (CCTV)

Is your public sector organisation struggling to prevent cyber-attacks? Find out why that might be here.

What Information Should the DPIA Contain?

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing in relation to the purpose
  • An assessment of the risks to individuals
  • The measures in place to address risk, including security and to demonstrate that you comply
  • A DPIA can address more than one project

See the ICO’s conducting privacy impact assessments code of practice for good practice advice.

How to Build Your Data and Digital Skills as a Public Sector Professional

Whether you're a Data Protection Officer or you work in digital communications, we've got a training course just for you. View our upcoming Data Compliance training courses and secure your spot today to avoid missing out on expert insights. 

data compliance training courses cta button

Chloe Martin
Senior Content Editor

2+ years in SEO and content marketing. Striving to help public sector professionals develop their skills and learn something new through high-quality content.