A process to help you identify and minimise the data protection risks of a project.

you have considered the risks related to your intended processing; and

you have met your broader data protection obligations.

process special category or criminal offence data on a large scale; or

systematically monitor publicly accessible places on a large scale.

describe the nature, scope, context and purposes of the processing;

use innovative technology (in combination with any of the criteria from the European guidelines);

use profiling or special category data to decide on access to services;

process biometric data (in combination with any of the criteria from the European guidelines);

process genetic data (in combination with any of the criteria from the European guidelines);

collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);

profile children or target marketing or online services at them; or

process data that might endanger the individual’s physical health or safety in the event of a security breach.

DPIAs are a legal requirement for processing that is likely to be high risk.

Under GDPR, failure to carry out a DPIA when required may leave you open to enforcement action including a fine of up to €10 million, or 2% global annual turnover if higher.

Consistent use of DPIAs increases the awareness of privacy and data protection issues within your organisation.