The Information Commissioner’s Office has published guidance on how to carry out a DPIA (Data Protection Impact Assessment).

DPIA guidance

The guidance is intended to help organisations undertake such assessments and:

  • Explains the importance of DPIAs in relation to organisations’ accountability requirements under the GDPR
  • Confirms that when considering the likelihood of ‘high risk’, the focus should be on any potential harm to individuals including any intangible harms, such as ‘significant economic or social disadvantage’
  • Lists high risk types of processing, including when using new technologies, processing biometric data or targeting vulnerable individuals
  • Refers to the Article 29 Working Party’s guidance on nine criteria which could indicate likely high risk processing
  • Includes a DPIA awareness checklist for organisations to use when deciding whether it is necessary to undertake a DPIA.