Do you need to carry out a DPIA?

  • What is the objective/intended outcome of the project?
  • Is it a significant piece of work affecting how services/operations are currently provided?
  • Who is the audience or who will be affected by the project?
  • Will the project involve the collection of new information about people? (e.g. new identifiers or behavioural information relating to individuals?)
  • Will the project involve combining anonymised data sources in a way that may give rise to a risk that individuals could be identified?
  • Will the project involve combining datasets originating from different processing operations or data controllers in a way which would exceed the reasonable expectations of the individuals?
  • Is data being processed on a large scale?
  • Will the project compel individuals to provide information about themselves?
  • Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
  • Will personal information be transferred outside the EEA?
  • Is information about individuals to be used for a purpose it is not currently used for, or in a way it is not currently used?
  • Will information about children under 16 or other vulnerable persons be collected or otherwise processed?
  • Will new technology be used which might be seen as privacy intrusive? (e.g. tracking, surveillance, observation or monitoring software, capture of image, video or audio or location)
  • Is monitoring or tracking or profiling of individuals taking place?
  • Is data being used for automated decision making with legal or similar significant effect?
  • Is data being used for evaluation or scoring? (e.g. performance at work, economic situation, health, interests or behaviour)
  • What sensitive data is being collected? 
  • Will the processing itself prevent data subjects from exercising a right or using a service or contract?
  • Is the information about individuals of a kind likely to raise privacy concerns or is it information people would consider to be particularly private or confidential?
  • Will the project require contact to be made with individuals in ways they may find intrusive?

Other issues to consider when carrying out a DPIA

In addition to considering the above issues in greater detail, when conducting a DPIA, you will also need to look at issues including:

  • The lawful grounds for processing and the capture of consent where appropriate
  • The purposes the data will be used for, how this will be communicated to the data subjects and the lawful grounds for processing
  • Who the data will be disclosed to
  • Where the data will be hosted and its geographical journey (including how data subjects will be kept informed about this)
  • The internal process for risk assessment
  • Who needs to be consulted (DPO, data subjects, regulator)
  • Data minimisation (including whether data can be anonymised)
  • How accuracy of data will be maintained
  • How long the data will be retained and what the processes are for deletion of data
  • Data storage measures
  • Data security measures including what is appropriate relative to risk and whether measures such as encryption or pseudonymisation can be used to reduce risk
  • Opportunities for data subject to exercise their rights
  • What staff training is being undertaken to help minimise risk
  • The technical and organisational measures used to reduce risk (including allowing different levels of access to data and red flagging unusual behaviour or incidents)