Data protection · 1 July 2026
DPIA explained: when and how to run a Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is one of the most useful tools in UK GDPR — a structured way to identify and reduce data protection risks before you start something new. This guide explains when you need one and how to run it.
What a DPIA is
A DPIA is a documented process for assessing how a new activity or system might affect people’s privacy, and for reducing any risks to an acceptable level. It’s not just a compliance formality: done properly, it helps you design safer processes, avoid costly mistakes and demonstrate accountability to the ICO.
When a DPIA is required
Under UK GDPR, a DPIA is mandatory whenever processing is likely to result in a high risk to people’s rights and freedoms. The ICO sets out situations that always require one, and others where it’s strongly advisable. You must carry out a DPIA if you plan to:
- Use new technologies in a way that may be intrusive
- Carry out large-scale processing of special-category data (such as health data)
- Systematically monitor a publicly accessible area (for example, CCTV)
- Undertake profiling or automated decision-making with significant effects
- Match or combine datasets, or process data about vulnerable individuals
Even where a DPIA isn’t strictly mandatory, running one for any significant new processing is good practice. Common triggers in care and healthcare include introducing electronic care records, medication management apps, CCTV, or new data-sharing arrangements — see our UK GDPR in healthcare guide.
The steps of a DPIA
A DPIA follows a logical sequence. The ICO provides a template, but the core steps are consistent:
1. Describe the processing
Set out what you plan to do: what data is involved, how it’s collected, used, stored and shared, and for how long. This links closely to your Record of Processing Activities (RoPA).
2. Assess necessity and proportionality
Ask whether the processing is genuinely necessary to achieve your aim, and whether you could achieve the same outcome with less data or less intrusion. Confirm your lawful basis and, for special-category data, your additional condition.
3. Consult where appropriate
Consider seeking the views of the people whose data you’ll process, or their representatives, and involve your Data Protection Officer if you have one. This can surface risks you hadn’t considered.
4. Identify and assess the risks
Work through what could go wrong and the potential impact on individuals — for example unauthorised access, inaccurate records, or data being kept too long. Rate each risk by likelihood and severity.
| Risk | Likelihood | Severity | Overall |
|---|---|---|---|
| Unauthorised access to records | Medium | High | High |
| Data retained too long | Medium | Medium | Medium |
| Inaccurate data affecting care | Low | High | Medium |
5. Identify measures to reduce the risks
For each risk, decide what controls will reduce it — encryption, access restrictions, staff training, clearer retention rules, contractual safeguards with suppliers, and so on. The aim is to bring each risk down to an acceptable level.
6. Record and sign off
Document your conclusions, the residual risks and who has approved the processing. Keep the DPIA as a living record and revisit it if the processing changes.
What if a high risk remains?
If, after applying every reasonable measure, a high residual risk remains, you must consult the ICO before starting the processing. This is rare, but the requirement is important. In practice, a well-run DPIA usually reduces risks enough to proceed with confidence.
The benefits beyond compliance
It’s tempting to see a DPIA as a hurdle, but organisations that do them well find they deliver real value. A DPIA forces you to think through a new project before committing to it, which often surfaces practical problems — a supplier’s weak security, an unnecessary data field, an unclear retention rule — while they’re still cheap to fix. It also builds trust: being able to show service users, families and commissioners that you assessed the privacy impact of a new system is a mark of a well-run organisation. And it strengthens your accountability position, giving you documented evidence that you considered risks and acted on them.
How a DPIA fits with your other records
A DPIA doesn’t sit in isolation. It draws on your RoPA to describe the processing, feeds into your privacy notices so people are told what you’re doing, and may highlight the need for staff training or a supplier contract. Thinking of these documents as a connected set, rather than separate chores, makes each one quicker to produce and keeps them consistent with one another.
Common mistakes
- Treating the DPIA as a one-off form rather than a genuine assessment
- Starting the project before completing the DPIA
- Failing to involve the people who actually run the process
- Not revisiting it when the processing later changes
- Rating every risk as “low” to reach a comfortable conclusion
How we can help
DPIAs are straightforward once you’ve done a few, but the first ones can feel daunting — especially for high-risk processing involving health data. We offer a clear, fixed-fee engagement that helps you complete robust, proportionate DPIAs and supports your team in embedding them as routine practice. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our Data Protection & UK GDPR service.