top of page


The Data Protection Impact Assessment

The Data Protection Act 1998 has resulted in most DIO systems having Privacy Impact Assessments (PIA’s) conducted and documented. Article 23 of GDPR requires Data Controllers to conduct a Data Protection Impact Assessment (DPIA) for all high-risk processing activities.

Purpose of the DPIA

There can be a multitude of reasons for conducting a DPIA, but the main purposes are:

  • To identify privacy risks to individuals

  • To identify privacy and Data Protection compliance liabilities for the organisation

  • To protect the reputation of the business

  • To instil public trust and confidence in the project/product/service

Projects that need a DPIA

A DPIA should be completed “where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity”. In addition Government departments in the UK are required to conduct DPIA’s for all new Projects. Whilst there is no statutory requirement for a DPIA to be developed in all projects under GDPR, the government has chosen to do so in the interests of best practice. Examples of typical projects that require a DPIA to be carried out might include, but are not limited to:

  • A new IT system for storing and accessing personal data.

  • A data sharing initiative where two or more organisations seek to pool or link sets of personal data.

  • A proposal to identify people in a particular group or demographic and initiate a course of action.

  • Using existing data for a new and unexpected or more intrusive purpose.

  • A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV).

  • A new database which consolidates information held by separate parts of an organisation.

  • Legislation, policy or strategies which will impact on privacy through the collection or use of information, or through surveillance or other monitoring.

To find out more read the full IL7 DPIA Policy here

bottom of page