Key Takeaways
- A data protection impact assessment is required before any data processing activity that is likely to result in a high risk to the rights and freedoms of natural persons under UK GDPR Article 35.
- In plain terms, high risk includes large scale processing of special category data, systematic monitoring such as CCTV, or systematic and extensive evaluation using automated processing, such as profiling, that can produce legal or similarly significant effects.
- Article 35(3) lists three processing types requiring a DPIA with the article also specifically referencing new technologies, but the ICO also expects organisations to assess other high-risk processing operations and document why a DPIA is required or not.
- DPIAs must be conducted before processing begins, updated throughout the project’s lifecycle, and reviewed if there is a substantial change in processing.
A DPIA is not paperwork for its own sake. Done well, it helps identify and articulate business requirements, identify and mitigate data protection risks early, reduce data protection-related risks, and build trust with customers and regulators.
Explore our DPIA training
Before we dig into the detail, it’s worth knowing that if you’d like structured support beyond this article, we run a range of data protection training courses – including a dedicated course to help you with conducting a DPIA. We also offer courses designed for organisations at every stage of their compliance journey, including our Tkm Certificate in Data Protection Compliance.

What Is a Data Protection Impact Assessment (DPIA)?
A data protection impact assessment is a structured process used to identify, assess, and reduce data protection and data privacy risks in a specific processing operation. You may also see the phrase privacy impact assessment in older internal templates, but the UK GDPR term is DPIA.
DPIAs focus on processing activities, not the whole organisation. Examples include launching a new online service, rolling out a new HR platform in an employment context, collecting contact details through a customer app, or using new technologies to process data.
Since 25 May 2018, UK GDPR and the Data Protection Act 2018 have made DPIAs mandatory in certain cases under data protection legislation and wider data protection laws.
A good DPIA describes the envisaged processing operations, explains necessity and proportionality, identifies data protection risks, and records measures envisaged to address identified risks. It should also show data minimisation, security controls, transparency, and other data protection principles in action. Consultation essential can be beneficial during a DPIA, especially with affected data subjects, technical teams, suppliers. Where one is appointed, the data protection officer should also review and comment.
General Rule: When Is a DPIA Required Under UK GDPR?
A DPIA is required when data processing is likely to result in a high risk to individuals. More precisely, UK GDPR Article 35 requires controllers to assess whether planned processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons.
A DPIA is mandatory for high-risk data processing and DPIAs must be conducted before processing begins. That means at the earliest possible stage in a project: scoping, procurement, design, or business-case stage, not after launch.
One DPIA can cover similar processing operations where the nature, scope, context, purpose, geographical extent, and risks are comparable. For example, one assessment may cover the same CCTV system rolled out to 50 retail sites although should always be reviewed to ensure there are no different circumstances for each time you wish to use it.
To decide when is a DPIA required, look at the nature of the personal data, the scale, the purpose, whether vulnerable data subjects are involved, and whether the project uses innovative technology or automated processing. Failure to conduct a DPIA may result in reputational damage, and, where individuals suffer harm, compensation claims for GDPR breaches due to DPIA failures. It may also result in enforcement actions, such as reprimands or fines under GDPR,
What Does “High Risk” Mean in Practice?
High risk means risk to people. While risks to people may result in risks to the organisation that you may want to capture, this is not the primary focus of a DPIA. A DPIA should assess risks to individuals’ rights and freedoms, including financial loss, discrimination, identity theft, psychological distress, physical harm, and damage to data protection rights.
Controllers must consider both the likelihood and severity of harm. What some may consider to be a low-impact event can still be high risk if the impact could be severe, such as exposure of an individual’s home address or email address. For some people, the impact of this type of information becoming widely available could be life changing. Not performing a DPIA increases the risk of data breaches because privacy, access control, retention, and security weaknesses may not be identified.
While no longer directly applicable in the UK, guidance from the European Data Protection Board (EDPB), as well as from the ICO highlights factors such as systematic monitoring, profiling, sensitive data, vulnerable individuals, and new technologies as being particularly high risk. A single strong factor can also be enough to require a DPIA although you should consider a DPIA (and document the reasons why you don’t think one is required) if two or more of these factors will be used in your project, such as automated decisions that produce legal effects or similarly significantly affect people.
Types of Processing That Automatically Require a DPIA
UK GDPR Article 35(3) and the ICO’s high-risk examples identify cases where a data protection impact assessment (DPIA) must be completed before processing starts.
These include systematic and extensive profiling based on automated processing, including an extensive evaluation of personal aspects relating to a person where that will result in legal or similarly significant effects. In 2026, this may include algorithmic credit scoring, AI recruitment screening, or automated insurance pricing.
Processing large-scale special categories of data requires a DPIA, including health data, genetic data, biometric data used for identification, and data referred to in Article 9 of the UK GDPR. Large scale processing of personal data relating to criminal convictions also triggers the requirement. Scale depends on a number of factors including volume, duration, and geographical extent.
DPIAs are required for systematic monitoring of publicly accessible areas. Systematic monitoring of a publicly accessible area on a large scale, such as a town-centre CCTV network, requires a DPIA.
Other Indicators That a DPIA Is Needed (High-Risk Criteria)
Not every high-risk scenario is listed in the law, so the controller must screen processing activities against recognised risk indicators. The ICO has developed a list of high risk processing that should also be taken into consideration.
You should expect to carry out a DPIA where projects involve profiling and scoring, systematic monitoring, sensitive data, large scale datasets, combining datasets from different sources, vulnerable people, children, patients and other healthcare data, employees in the majority of contexts, innovative technology, location tracking, or preventing data subjects from exercising a right or receiving a service.
Combining datasets from different sources could require a DPIA. New technologies may require a DPIA when processing data.
If two criteria appear together, such as AI analytics plus customer behaviour tracking, assume the processing may result in a high risk. If you decide no DPIA is needed, record the date, decision-makers, risk factors, and reasoning to demonstrate compliance and ensure compliance with your data protection obligations.
Common Real-World Scenarios Where a DPIA Is Required
A DPIA is required for a national retailer installing CCTV and access-control systems across all UK offices: this involves systematic monitoring and may capture employees, visitors, and vulnerable data subjects.
A DPIA is required for an AI marketing platform profiling millions of customers across Europe: this involves automated decision making, large scale personal data, online services, and is likely to require the balancing of legitimate interests.
A DPIA is required for biometric time-and-attendance: biometric data in the employment context creates power imbalance and sensitive data concerns. We have seen decisions from the ICO on this previously, take a look.
A DPIA is required for an NHS portal consolidating patient records: processing health data on a large scale is considered high risk.
A DPIA is required for a 2026 ed-tech platform monitoring children’s behaviour and performance: children’s data, profiling, and personal and social consequences amplify the inherent risks in these types of data and activities.
Small organisations are not exempt. A fitness app processing special category data or a small employer using intensive monitoring tools is still likely to need a DPIA.
When a DPIA Is Not Required (But Might Still Be Sensible)
A DPIA is not legally required where processing is unlikely to create high risk, such as a small business mailing list using limited business contact details in a way people clearly expect. You should also remember that many tools and systems that you might purchase may have processing that is unintended or unwanted functionality. However, if you are responsible for the processing, it must still be properly reviewed.
If an earlier DPIA already covers very similar processing operations, you may be able to rely on it, provided no new risks arise.
Additionally, processing clearly defined by UK law, or member state law in an EU context, and already covered by a suitable impact assessment may not require a separate DPIA. Even when not legally required, conducting a DPIA is considered best practice, especially for new suppliers, cloud tools or new systems, or cross-border data collection.
Project Timing: When in the Lifecycle Should You Carry Out a DPIA?
The DPIA must happen before the start of high-risk processing. Early assessment lets you redesign the project, define procurement requirements, choose less intrusive organisational solutions, and build in data protection by design.
DPIAs should be updated throughout the project’s lifecycle. Organisations must also review their DPIA if there is a change in processing, such as new data sources, a move from pilot to large scale, or adding an AI module. It can be helpful to set out in response to an initial DPIA how frequently it should be reviewed. Frequency should depend on risk associated with the data being processed as well as processing activities, and stage in the project. Once a project has be implemented, a DPIA should be reviewed at regular intervals to ensure that controls remain fit for purpose.
Conducting a DPIA after launch simply to tick a box is highly unlikely to comply with legislation. Build DPIA checkpoints into project governance, procurement, change control, and information security reviews.
Who Is Responsible for Deciding Whether a DPIA Is Required?
The controller is responsible for deciding whether a DPIA is required and for completing it properly. Under data protection law, processors must assist, but they cannot replace controller accountability.
Where there is a data protection officer (DPO), the controller must seek and record the DPO’s advice. In practice, project sponsors, legal, compliance, IT, security, and business owners should all contribute to the DPIA and help complete it.
For complex analytics, automated processing, or cross-border processing operations, specialist support is sensible. Our live-attended Conducting Data Protection Impact Assessments course helps DPOs, privacy leads, and project managers recognise when a DPIA is required and manage the process effectively.
<Insert CTA section here, course tile>
What If There Is “Residual High Risk” After the DPIA?
Residual risk means risk that remains after controls have been proposed. If residual high risk remains, the controller must consult the ICO before starting the processing and share the DPIA and mitigation plan.
The ICO may advise extra safeguards although they can advise that the project should not proceed. Controllers should not start or continue the planned data processing while prior consultation is ongoing.
Document which risks were accepted, by whom, and why. This matters if data protection authorities later investigate data breaches or complaints.
How to Build Internal Capability: Training and Support
Correctly deciding when is a DPIA required can be difficult, especially with AI, children’s data, health platforms, monitoring tools, and large scale processing. The complexity can also increase with new technologies: it’s often difficult to know exactly how a system is going to process personal data.
Structured training helps staff understand automatic triggers, apply ICO guidance, assess personal aspects of processing, and keep records that demonstrate compliance. DPIAs help organizations comply with GDPR requirements, enhance awareness of data protection risks in organizations, and foster trust with customers and regulators.
Our live-attended Conducting Data Protection Impact Assessments course covers when a DPIA is required, how to scope one, how to assess data protection risks, and what to do when residual high risk requires ICO consultation.
Questions About When DPIAs Are Required
These answers cover practical DPIA questions that often arise after the initial screening.
Do public authorities have to carry out DPIAs more often than private companies?
The legal requirements are the same: is the processing likely to result in a high risk? In practice, public authorities often use large datasets, CCTV, social care systems, education records, or other higher risk datasets so DPIAs may be needed more often.
Because many public-sector data subjects are some kind of service user including patients, pupils, or benefit recipients, there should be careful assessment and review.
How often should we review or update an existing DPIA?
There is no fixed statutory period. Guidance from the EDPB and good practice is to review major DPIAs every two to three years, or sooner where the purpose, system, supplier, scale, or risk changes.
Any kind of security incident or breach, new ICO guidance, or a change to the process such as a pilot becoming a wider rollout should trigger review.
Do we need to publish our DPIA or share it with data subjects?
UK GDPR does not require you to publish a DPIA. However, a short public summary can improve transparency, especially for intrusive public-sector projects. You should also remember that you will need to make sure that you include any processing in a privacy notice and the information gathered as part of a DPIA may be helpful in creating a privacy notice where required.
Make sure you remove security-sensitive and commercially confidential information before publishing. You should never publish information about how you are securing information.
It may also be appropriate to seek the views of the data subject on the intended process as part of completing the DPIA.
Is a DPIA still needed if we use third-party software?
Yes. Vendor software does not remove the controller’s duty. If your use of the tool is high risk, you must assess it.
Make sure you conduct appropriate due diligence and ask suppliers for security papers, privacy documentation, and any DPIA material, then incorporate it into your own assessment.
Can we treat this article as legal advice?
No. This article is general guidance based on UK GDPR and ICO guidance. It is not tailored legal advice.
For borderline cases involving AI, international transfers, or sensitive data, it’s good practice to conduct a DPIA although if you have any concerns or queries, you should seek specialist advice or consider formal DPIA training.


