How to do a Data Protection Impact Assessment (DPIA) in 5 steps
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) is a structured process that helps you identify and reduce privacy risks before a project goes live. Under UK GDPR, you must carry out a DPIA when a planned data processing activity is likely to result in a high risk to the rights and freedoms of individuals, known as data subjects. Even when it is not mandatory, a short DPIA is good practice. It surfaces risks early, documents sensible controls, and shows regulators and customers that you take accountability seriously.
When to run a DPIA
Run it early in the project, ideally at design stage or before procurement. A DPIA is required when one or more of the following apply:
Systematic and extensive evaluation or profiling of individuals, especially where decisions could affect them significantly (e.g. health details, race, political opinions).
Large-scale processing of personal data or special category data, such as health information.
Use of new or untested technologies that change how data is collected, linked, or analysed (e.g. new suppliers, AI, biometrics).
Vulnerable data subjects are involved, such as children, employees, or patients.
If you decide a DPIA is not required, record the reasoning and who approved it. A clear decision trail reduces delays later.
Why commercial teams care
A concise DPIA shortens procurement cycles, reduces legal back-and-forth, clarifies supplier responsibilities, and gives stakeholders confidence that risks are understood and managed.
What your DPIA should achieve
Give sponsors a clear view of data flows and risk
Show that the processing is necessary and proportionate
Set out practical controls with owners and dates
Provide an auditable record that satisfies customers and the ICO
How to do a DPIA in 5 steps
1) Confirm the need for a DPIA
Screen the project early. If there is large-scale personal or health data, profiling, new technology, or vulnerable users, you will likely need a DPIA. Record your decision either way, including who approved it and when you will review it.
Outcome: clarity on scope and ownership so the project can move forward without surprises.
2) Describe the processing
Set out who is involved, what data you will handle, why you need it, and how it will flow through systems and suppliers.
Nature: collection, storage, use, sharing, retention, deletion.
Scope: data types, volumes, systems, locations, transfers.
Context: data sources, supplier roles, data subject relationships.
Purpose: benefits to the organisation and to individuals.
Outcome: a one-page data flow and responsibilities that Legal, Security, and the customer can understand.
3) Assess necessity and proportionality
Show that the processing is justified and controlled.
State the lawful basis under UK GDPR.
Demonstrate data minimisation, accuracy, access control, transparency, retention, and subject rights.
If the same result can be achieved with less data or fewer risks, adjust the design.
Outcome: evidence that the approach is reasonable and defensible in contracts and audits.
4) Identify and assess risks
List risks from the individual’s perspective, not just technical issues.
Typical risks include unauthorised access, misuse, inaccurate decisions, loss of confidentiality, discrimination, and loss of control.
Rate likelihood and impact with a simple scale, and note combined risks such as supplier failure or international transfers.
Prioritise the risks that are both plausible and consequential.
Outcome: a clear, prioritised risk list that guides effort and spend.
5) Define measures and record the outcome
For each priority risk, state the control, the owner, and a target date. Include technical, procedural, and contractual measures such as encryption, role-based access, staff training, supplier due diligence, and tighter retention.
Reassess the residual risk after controls.
If high risk remains and you cannot reduce it, consult the ICO before going live.
Record sign-off by the project owner and senior risk owner, and set a review point.
Outcome: agreed actions with accountable owners so the project can proceed with confidence.
Common mistakes to avoid
Starting the DPIA after procurement has begun.
Vague risks with no owner or deadline.
Ignoring shared controls with suppliers.
Treating the DPIA as paperwork rather than a design activity.
Make it useful
Keep a short summary alongside the full record: the lawful basis in plain language, the top risks and controls, and what would trigger a review. This speeds up customer due diligence and internal approvals.
