What is a Data Protection Impact Assessment and when is it needed?

Mandatory

When required

Before processi

Timing

High risk

Trigger condition

Article 35

UK GDPR section

The Short Answer

A Data Protection Impact Assessment (DPIA) is a process to identify and minimise data protection risks in high-risk processing activities. It is legally required under UK GDPR before starting any processing likely to result in high risk to individuals’ rights and freedoms.

What the Law Says

The UK General Data Protection Regulation (UK GDPR) sets out when and how organisations must carry out a Data Protection Impact Assessment (DPIA). A DPIA is not optional for certain types of processing — it is a legal requirement designed to prevent harm to individuals’ privacy rights.

Under UK law, a DPIA must be carried out before beginning any type of personal data processing that is 'likely to result in a high risk to the rights and freedoms of natural persons'. This includes large-scale processing of special category data, systematic monitoring of public areas on a large scale, or automated decision-making with legal or significant effects.

The Information Commissioner’s Office (ICO) provides detailed guidance on what constitutes 'high risk', but the final responsibility lies with the controller to assess and document this judgment. If a DPIA identifies residual high risk that cannot be mitigated, the organisation must consult the ICO before proceeding.

Failure to conduct a required DPIA is a breach of UK GDPR and can lead to enforcement action, including fines of up to £17.5 million or 4% of global annual turnover — whichever is higher.

Statutory Text
Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the commencement of the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
— UK GDPR, Article 35(1) — Data protection impact assessment

Statutory Text
The assessment shall contain at least: (a) a systematic description of the envisaged processing operations and the purposes of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects; and (d) the measures envisaged to address the risks.
— UK GDPR, Article 35(7) — Content of the assessment

Sources

statuteUK GDPR, Article 35 — Data protection impact assessment statuteUK GDPR, Article 35(7) — Content of the assessment guidanceICO Guidance on DPIAs

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.