Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

You must conduct a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists and check our guidance to help you decide when to do a DPIA. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.

If you identify a high risk that you cannot mitigate, you must consult JOIC before starting the processing and you can submit your DPIA for consultation using the form below. Please fill in the relevant boxes and upload your completed DPIA and any supporting documents.

Once we've received your DPIA, we will review and give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

If you have mitigated any risks, a DPIA does not need to be submitted but the JOIC encourages consultation and will consider all DPIAs submitted to it.

Where you have submitted a DPIA for consultation you must not start any processing activity until the conclusion of the consultation and you have received appropriate approval from the JOIC.

Details

Hang tight! Your form is being submitted. Please wait and do not close this page until it's complete.