Data Protection Impact Assessments (DPIA)

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise data protection risks.

Whenever we introduce a new project or system, or we make significant changes to existing processing, and the processing is likely to result in high risk to the rights and freedoms of individuals, we must undertake a DPIA. This will ensure we identify and address all the potential risks to our customers’ information and that all possible measures are in place to keep information secure.

We have a standard procedure to follow when carrying out a DPIA. This procedure is based on guidance from the Information Commissioner’s Office.

The DPIA will:

  • Describe the nature, scope, context and purposes of the processing
  • Involve our data processors to help us understand and document their processing activities and identify any associated risks.
  • Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
  • Seek the advice of our Data Protection Officer.
  • Check that the processing is necessary and proportionate to our purposes, and describe how we will ensure data protection compliance.
  • Provide an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
  • Identify measures we can put in place to eliminate or reduce high risks.
  • Record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted.
  • Ensure the implementation of risk mitigation measures identified, and integrate them into our project plan.
  • Ensure consultation with the Information Commissioners Office (ICO) before processing if we cannot mitigate high risks

We keep our DPIAs under review and revisit them if necessary.