Data Protection Impact Assessments
A data protection impact assessment (DPIA) is a structured way to identify and reduce the privacy risks of a new project before you start. For higher-risk processing it is a legal requirement.
This is general guidance on when and how to carry one out.
When a DPIA Is Required
- Large-scale processing of special category data.
- Systematic monitoring of public areas.
- Profiling that significantly affects people.
- Using new technologies in novel ways.
What the Process Involves
- Describe the processing and its purpose.
- Assess whether it is necessary and proportionate.
- Identify the risks to individuals.
- Decide on measures to reduce those risks.
- Record the outcome and review it over time.
A Useful Habit
Even where not strictly required, a lightweight DPIA is a sensible discipline for any project touching personal data. It surfaces problems while they are still cheap to fix.
Frequently Asked Questions
Who should be involved?
Typically the project lead, anyone responsible for data protection, and the technical team — plus the ICO if a high risk cannot be reduced.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.