Data protection impact assessment policy

  • Quick and easy to complete
  • Streamlines your data protection procedures
  • UK GDPR compliant

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment.

This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments.

It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code.

You can also purchase this policy as part of the Data protection policy toolkit.

Q&A

  • When should I use this document?

    If you are a data controller, you should use this document before you start processing any personal data at all.

    It will help you to create an internal policy and procedure setting out how and when your business will carry out data protection impact assessments. This is important as, in some circumstances, it is a legal requirement for you to carry out a risk assessment before you carry out certain data processing activities (eg if they are high risk).

    Before each new data processing activity your business carries out, you must use your DPIA policy to consider whether a DPIA is required. If it is, you can customise the template attached to this document to both carry out and record the results of your risk assessment.

    Bear in mind that if you run an online service to which the ICO's Age Appropriate Design Code applies, you must carry out a DPIA before you launch your new service. See Privacy and children for further guidance.

  • What does this document cover?

    This document will help you to create a customised, internal policy for your business setting out:

    • When a data protection impact assessment must be carried out;
    • Other situations when your business should consider carrying out a DPIA;
    • What procedure your staff should follow before and after carrying out an impact assessment;
    • Who within your business must be consulted about data protection impact assessments; and
    • How the impact assessment should be carried out.

    It also includes a template DPIA, which has been produced by the Information Commissioner’s Office. This is public sector information licensed under the Open Government Licence v3.0. Using this will help you to document your risk assessment and its outcome.

  • Why do I need this document?

    This template will help you to comply with your data protection obligations if you’re a data controller. That’s because in certain circumstances, you’re legally required to conduct a data protection impact assessment before you process personal data.

    Even when it’s not required by law, carrying out a DPIA is good business practice and will help you to keep on top of the data risks associated with your projects. It is particularly useful when you are dealing with changes in your business structure or set-up, for example if you change from an office-based arrangement to a large proportion of remote workers.

    Carrying out a data protection impact assessment is not just a tick-boxing exercise, and this template will also help you to consider what steps you should take to mitigate any risks and to monitor your processing going forwards.

    If you don’t comply with data protection law, your business could face huge fines and damage to its reputation.

  • Where can I find out more?

    For detailed guidance about data protection impact assessments, including when you must carry one out, see our Q&A on Data protection impact assessments.

    For guidance about the other data protection policies and procedures that your business must put in place, see our Q&A on your data protection obligations.

    If you also need to put in place a general data protection policy to inform your staff about their data protection obligations, you can use our template Data protection policy.

Related Documents

Related Toolkits

Data breach toolkit

This data breach toolkit guides you through the steps you need to take when you become aware of a personal data breach (such as a staff member sending customer information to the wrong person, or a device containing customer information being lost or stolen). It includes a how-to guide, as well as a pack of the relevant documents you are likely to need. In this data breach toolkit you will find: a personal data breach policy; a template notice for notifying affected individuals; and a template personal data breach register for keeping records of breaches. This data breach toolkit helps you to identify, assess and contain a personal data breach, inform the relevant people, and keep written records of the breach. By using this toolkit, you reduce your risk of being penalised by the ICO. Keeping on top of your data protection processes also helps to maintain your reputation and build customer relationships.
Find out more
  • Personal data breach policy
  • Template personal data breach register
  • Notice of a personal data breach (affected individuals)
  • How-to guide: Data breach toolkit

Data protection policy toolkit

This data protection policy toolkit provides 8 data protection policy templates you are likely to need to comply with your data protection obligations. It also contains a how-to guide, which tells you how to use each policy. Data protection policies included in this pack can be customised for your business and include: Privacy policy Cookie policy Data protection policy Staff privacy notice Data subject request policy Data protection impact assessment policy Personal data breach policy Using this data protection policy toolkit helps you to ensure that your staff are aware of how to deal with customers' personal data, you protect your staff members' and customers' personal information, and your business deals with any personal data breaches or subject access requests efficiently. Complying with your data protection obligations not only means you will avoid being fined by the ICO, but you will also maintain your business's reputation and reduce the risk of staff or customers taking legal action against you.
Find out more
  • How-to guide: Data protection policy toolkit
  • Privacy policy
  • Cookie policy
  • Data protection policy
  • Staff privacy notice
  • Staff recruitment privacy notice
  • Data subject request policy
  • Data protection impact assessment policy
  • Personal data breach policy

Data subject request toolkit

This data subject request toolkit guides you through the process of dealing with data subject requests (individuals' requests for access to, changing or deletion of their personal data). This toolkit contains a how-to guide as well as a pack of 22 relevant documents to cover various types of requests. The template documents you will receive in this toolkit include: policies and forms for dealing with data subject requests; letters for acknowledging receipt of a data subject request, verifying the person's identity and asking for further details; letters to give you extensions of time to respond; letters for responding to the request and explaining what further action you will take (such as correction or deletion of the data); letters for supplying data in response to portability requests; and more. By using this data subject request toolkit, you will comply with your legal obligations for dealing with data subject requests. This minimises the risk of someone making a complaint against you or you being penalised by the ICO. Having efficient and proper data protection processes in place also helps to protect customer data, ensure good customer relationships and maintain your business's reputation.
Find out more
  • How-to guide: Data subject request toolkit
  • Data subject request policy
  • Subject access request form
  • Data transfer request form
  • Request form to correct inaccurate or incomplete data
  • Request form to delete data
  • Request form to stop using data
  • Letter acknowledging receipt of data subject request (and requesting verification of ID)
  • Letter asking for further information about a data subject request
  • Letter confirming no data held in response to data subject request
  • Letter explaining reasons for extension of time to respond to data subject requests
  • Letter to third party seeking consent to disclosure of information
  • Subject access request response template
  • Letter confirming that data processing has ceased
  • Letter explaining why data processing will continue
  • Letter confirming that data has been corrected
  • Letter explaining why data will not be corrected
  • Letter to party who has been supplied with data to confirm its correction
  • Letter confirming that data has been deleted
  • Letter explaining why data will not be deleted
  • Letter to party who has been supplied data to confirm its deletion
  • Letter supplying data in response to a portability request
  • Letter supplying data to a third party in response to a portability request

Small claims toolkit

This small claims toolkit guides you through the right process to follow if you want to make a straightforward small claim against someone, and contains a pack of all of the template documents you are likely to need. Use the small claims process to get back money you are owed for amounts less than £10,000 (for example, if a supplier has not sent you the right goods or you have not received payment from a customer). Documents provided in this small claims toolkit include: letter before action (also known as a letter of claim), which must be sent to someone before you sue them to set out what you are claiming; witness statement, which provides a template for any witness statements you are providing to ensure they are legally compliant; and letter of non-attendance for small claims hearing (if you want the court to judge your case on paper evidence rather than you attending a hearing). By using this small claims toolkit you can avoid the need to use a lawyer and maximise your chances of getting back money you are owed. It helps you avoid common mistakes that can reduce your chance of a successful claim.
Find out more
  • How-to guide: Small claims toolkit
  • Letter before action
  • Witness statement
  • Letter of non-attendance for small claims hearing
See all Toolkits