When is a GDPR DPIA Required?

When is a DPIA Required? GDPR legal obligations

DataGRC consultants help a large number of organisations and have found there’s still a lot of confusion in companies around when DPIAs (Data Protection Impact Assessments) are legally required under GDPR – the UK and EU data protection legislation.

We’ve found that many organisations are doing more DPIAs than they need to, while other organisations haven’t done any DPIAs at all.

So, when are Data Protection Impact Assessments needed?

Let’s find out…

Why is a DPIA required?

UK GDPR (article 35) requires organisations to perform Data Protection Impact Assessments before performing high risk purpose of processing.

Word for word, GDPR says:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

There’s a lot of organisations doing DPIAs for all processes, or only outsourced processing, but that’s not what GDPR is asking for.

There’s also GDPR article 32 that separately asks us to do security risk assessments (in a slightly cack-handed way), so that’s a different thing that still needs to be done!

The focus on DPIAs is the purpose of processing – the reason of doing the processing, and whether than might create a high risk to individual’s privacy.

Both the UK’s Information Commissioner’s Office (the ICO) and the EU Data Protection Board (at the time, mysteriously known as Working Party 29 – WP29) have provided some guidance around what type of processing might be deemed high risk, which might help…

When is a DPIA required? The ICO List

The ICO gave us 10 examples, because they have a legal obligation to. The gave us:

  1. Innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including AI).
  2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
  3. Large-scale profiling: any profiling of individuals on a large scale.
  4. Biometrics: any processing of biometric data.
  5. Genetic data: any processing of genetic data, other than that processed  by an individual GP or health professional for the provision of health care direct to the data subject.
  6. Data matching: combining, comparing or matching personal data obtained from multiple sources.
  7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort.
  8. Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. 
  9. Targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
  10. Risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.

What is a DPIA Require? The WP29 List

The WP29 started with a list of 9 items:

  1. Evaluation or scoring.
  2. Automated decision-making with legal or similar significant effect.
  3. Systematic monitoring.
  4. Sensitive data or data of a highly personal nature.
  5. Data processed on a large scale.
  6. Matching or combining datasets.
  7. Data concerning vulnerable data subjects.
  8. Innovative use or applying new technological or organisational solutions.
  9. Preventing data subjects from exercising a right or using a service or contract.

Then, WP29 has been even more helpful by providing some hints and tips, for when a DPIA might be needed or not needed.

They said a DPIA is (probably) needed for:

Examples of processingPossible Relevant criteria
A hospital processing its patients’ genetic and health data (hospital information system).Sensitive data or data of a highly personal nature.
Data concerning vulnerable data subjects.
Data processed on a large-scale.
The use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.Systematic monitoring.
Innovative use or applying technological or organisational solutions.
A company systematically monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc.Systematic monitoring.
Data concerning vulnerable data subjects.
The gathering of public social media data for generating profiles.Evaluation or scoring.
Data processed on a large scale.
Matching or combining of datasets.
Sensitive data or data of a highly personal nature.
An institution creating a national level credit rating or fraud database.Evaluation or scoring.
Automated decision making with legal or similar significant effect.
Prevents data subject from exercising a right or using a service or a contract.
Sensitive data or data of a highly personal nature.
Storage for archiving purpose of pseudonymised personal sensitive data concerning vulnerable data subjects of research projects or clinical trialsSensitive data.
Data concerning vulnerable data subjects.
Prevents data subjects from exercising a right or using a service or a contract.

Then, WP29 said a DPIA is probably not required for:

Examples of processingPossible Relevant criteria
A processing of “personal data from patients or clients by an individual physician, other health care professional or lawyer” (Recital 91).Sensitive data or data of a highly personal nature.
Data concerning vulnerable data subjects.
An online magazine using a mailing list to send a generic daily digest to its subscribers.Data processed on a large scale.
An e-commerce website displaying adverts for vintage car parts involving limited profiling based on items viewed or purchased on its own website.Evaluation or scoring.

GDPR DPIA Consulting and Training

We hope this information has been of use.

If you think that further information is needed, if our specialist GDPR advisors and outsourced DPOs could help reviewing or create your DPIAs, or if you would like to join our training sessions, please call us on 0800 292 2126 or send us a message here: