Data protection impact assessments (DPIA)

A DPIA will be carried out when:

  • starting a new project 
  • making significant changes to an existing process that could pose a high risk to people's rights and freedoms 

This helps us identify and address potential risks to customer information and make sure that measures are in place to keep information secure. 

We have a standard procedure to follow when carrying out a DPIA. This procedure is based on guidance from the Information Commissioner’s Office (ICO).

The DPIA will

  • describe the nature, scope, context and purposes of the processing
  • work with our data processors to understand and document their activities and identify risks
  • consider how best to consult individuals (or their representatives) and other relevant stakeholders
  • seek the advice of our Data Protection Officer
  • make sure the processing is needed and suitable for our goals, and explain how we'll ensure we comply with data protection rules
  • provide an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests
  • identify measures we can put in place to eliminate or reduce high risks
  • record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted
  • implement the risk mitigation measures identified and include them in the project plan
  • ensure consultation with the Information Commissioners Office (ICO) before processing if we cannot mitigate high risks

We keep our DPIAs under review and revisit them if necessary.

Help us improve

Select how useful the page is
Back to top