This document follows the process set out in the Information Commissioner’s DPIA guidance, and you should read it alongside that guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs.

Start to fill out the template at the beginning of any major project involving the use of personal data, or if you are making a significant change to an existing process. Integrate the final outcomes back into your project plan.

Step 1: Identify the need for a DPIA
Step 2: Describe the processing
Step 3: Consultation process
Step 4: Assess necessity and proportionality
Step 5: Identify and assess risks
Step 6: Identify measures to reduce risk
Step 7: Sign off and record outcomes

Item

Notes

Integrate actions back into project plan, with date and responsibility for completion

Notes

If accepting any residual high risk, consult the ICO before going ahead

Notes

DPO should advise on compliance, step 6 measures and whether processing can proceed

Notes

If overruled, you must explain your reasons

notes

If your decision departs from individuals’ views, you must explain your reasons

Notes

The DPO should also review ongoing compliance with DPIA