Risks and data protection impact assessments (DPIAs)

The need to identify, assess and manage privacy risks is an integral part of accountability. Understanding the risks of the way you use personal data specifically is central to creating an appropriate and proportionate privacy management framework. A DPIA is a key risk management tool, and an important part of integrating ‘data protection by design and by default’ across your organisation. It helps you to identify, record and minimise the data protection risks of projects. DPIAs are mandatory in some cases and there are specific legal requirements for content and process. If you cannot mitigate a high risk, you must have a process for reporting this to the ICO.

At a glance – what we expect from you

• Identifying, recording and managing risks
• Data protection by design and by default
• DPIA policy and procedures
• DPIA content
• DPIA risk mitigation and review

Identifying, recording and managing risks

Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.

Ways to meet our expectations:

• An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
• You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
• You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
• You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
• If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
• You put measures in place to mitigate the risks identified within risk categories, and you test these regularly to make sure that they remain effective.

Have you considered the effectiveness of your accountability measures?

• Do staff know how to report and escalate concerns and risks?
• Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?

Data protection by design and by default

You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.

Ways to meet our expectations:

• You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
• Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.
• You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
  
  • intended processing activities;
  • risks that these may pose to the rights and freedoms of individuals; and
  • possible measures available to mitigate the risks.

  Have you considered the effectiveness of your accountability measures?

  • Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?

  DPIA policy and procedures

  You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.

  Ways to meet our expectations:

  • You have a DPIA policy which includes:
    • clear procedures to decide whether you conduct a DPIA;
    • what the DPIA should cover;
    • who will authorise it; and
    • how you will incorporate it into the overall planning.

    Have you considered the effectiveness of your accountability measures?

    • Are your policies and procedures easy to locate?
    • Are staff aware of the process?
    • Do they consider it effective?
    • Have they had adequate training?
    • Are DPIAs conducted by those with appropriate authority to effect change?

    DPIA content

    DPIAs always include the appropriate information and are comprehensively documented.

    Ways to meet our expectations:

    • Your organisation has a standard, well-structured DPIA template which is written in plain English.
    • DPIAs:
      • include the nature, scope, context and purposes of the processing;
      • assess necessity, proportionality and compliance measures;
      • identify and assess risks to individuals; and
      • identify any additional measures to mitigate those risks.

      Have you considered the effectiveness of your accountability measures?

      • Do staff use the DPIA template and find it easy to understand?
      • Is the process effective?
      • Is the DPO satisfied that their advice is taken into account?
      • Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?

      DPIA risk mitigation and review

      You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.

      Ways to meet our expectations:

      • You have a procedure to consult the ICO if you cannot mitigate residual high risks.
      • You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
      • You do not start high risk processing until mitigating measures are in place following the DPIA.
      • You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
      • You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
      • You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

      Have you considered the effectiveness of your accountability measures?

      • Do staff understand when to consult the ICO?
      • Do you effectively integrate outcomes from DPIAs into projects?
      • Are appropriate stakeholders aware of the outcomes of DPIAs?

      Further reading

      ICO guidance:

      • Data protection impact assessments
      • Data protection by design and by default
      • ICO template: DPIA template

      External guidance:

      • The National Archives: Information Assurance
      • The National Archives: Managing information risks
      • National Cyber Security Centre: 10 Steps to Cyber Security – Risk Management Regime
      • Share this page
      • Print this page
      • RSS feeds