Skip to main content

Data Protection Impact Assessments (DPIAs)

Contents

The Brexit transition period ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. If you transfer or receive data from overseas please visit our End of Transition and International Transfers pages. You should make sure you can identify any data you collected before the end of 2020 about people outside the UK, for further information, see our Q&A on Legacy Data.

On 01 January, there will not be any significant change to the UK data protection regime, or to the criteria that compel DPIAs. This guidance draws on European resources which we still consider to be relevant, and so these resources remain part of our DPIA guidance.

We will keep this guidance under review and update it as and when any aspect of your obligations or our approach changes. Please continue to monitor our website for updates.

This guidance discusses Data Protection Impact Assessments (DPIAs) in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you understand or complete a DPIA in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

The guidance has been revised to adopt the European Data Protection Board’s 22/2018 opinion on the ICO’s list of processing operations subject to the requirement of conducting a DPIA.

If you haven’t yet read DPIAs in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.