DPIA Imapct Assessment

Clear, concise guidance with step-by-step fixes designed to get your project compliant quickly and efficiently

DPIA Impact Assessment – Straightforward, and Stress-free

You may have questions and concerns about performing a DPIA Assessment (or GDPR impact assessment). GDPR may seem like a minefield for business owners who want to demonstrate compliance yet worry about the correct (and legal) way to process personal data.

These assessments can appear to be time-consuming, complex, and fraught with difficulties. If you are feeling confused or concerned about DPIA or GDPR then let us help make it easy, straightforward, and stress-free for you.

If you are feeling confused or concerned about a DPIA or GDPR then let us help make it easy

In a nutshell – what is a DPIA?

A DPIA is basically a risk assessment relating to processing personal data. Not only is it a good idea to identify and minimise these risks, but it is also a legal requirement. DPIA stands for Data Protection Impact Assessment. It can sometimes also be known as a PIA or Privacy Impact Assessment.

DPIAs help data controllers to comply with GDPR requirements and to demonstrate that compliance. A DPIA must be carried out before certain types of data processing.

What are the benefits of a DPIA?

Although a DPIA can sometimes be legally necessary, a regular privacy impact assessment can also be a useful tool for identifying and minimising GDPR risks. It also shows your willingness to display compliance and accountability which builds trust and boosts the reputation of your business.

It is useful to think of a DPIA as more of an ongoing process than a one-off event. It is important for controllers to continually assess whether their data processing creates a risk to the rights and freedoms of the data subjects.

What happens if you fail to perform a DPIA?

Not performing a DPIA when you need to immediately renders the processing unlawful and indicates a failure of the GDPR. This may lead to enforcement action from the ICO in the event of an investigation.  If your data processing is subject to data protection impact assessment, then you must complete a DPIA.

Failure to conduct the DPIA in the correct manner or failure to contact the ICO when required can also result in serious enforcement action from the ICO, or other EU Supervisory Authority.

Under current regulations, you could incur a fine of up to £8.7 million, or 2% of your annual turnover (whichever is higher).

Is a DPIA necessary for your business?

Primarily, you should assess whether a GDPR privacy impact assessment (or DPIA) is necessary for your business.

The first thing to ascertain is the level of risk created by your data processing. If it is likely that there is a high risk to individuals, then you will need to perform a DPIA.

UK GDPR states that you will need to perform a DPIA if you are going to:

  • Process criminal offence data
  • Monitor a public place
  • Process genetic or biometric data
  • Conduct or use profiling data
  • Conduct ‘invisible processing’ (collect data without providing a privacy notice)
  • Process data which may pose safety or health risks to an individual
  • Profile children or direct marketing towards children
  • Track the behaviour or location of individuals
  • Use new data processing technology or systems

Any major projects which involve processing personal data, or any large-scale monitoring or profiling, will most likely require a DPIA.

Contact us today and we can begin working immediately to ensure your system is legal.

Assessing levels of risk to individuals

Before processing data, you should consider the probability (and severity) of any potential risk to individuals. If you identify high levels of risk and a likelihood of harmful consequences to individuals, then you must act to mitigate that risk in every way that you can. If you are unable to mitigate the risk, then you will need to contact the ICO before you begin processing the data. The ICO will provide written advice within 8-14 weeks (depending on the complexity of the case).

Processing personal data – The 6 lawful bases

You must have a lawful basis in order to process personal data. There are 6 bases, or legal reasons, that justify processing personal data:

  • Legal obligation – you need to process the data as part of a legal obligation
  • Public duties – the data processing is in the public interest, or for official reasons
  • Consent – the data subject has given consent for their data to be used
  • Vital interests – the data processing is necessary to protect an individual’s life
  • Legitimate interests – processing is required for legitimate reasons and is not overridden by the need to protect the individual’s data
  • Contract – processing is needed to fulfil a legal contract with the individual

What does a DPIA involve?

There are several important steps you will need to follow when performing a thorough data protection impact assessment:

  • Carry out a review to see if you need a full DPIA
  • Describe the purpose and scope of your data processing project
  • Consider consulting with experts and interested parties
  • Establish that you need to process the data and can remain compliant
  • Identify any potential risks
  • Have a plan to mitigate risk and protect individuals
  • Create a report describing your conclusions and considerations
  • Keep track of your actions to ensure against function creep

The DPIA should be undertaken before you begin processing data and should continue through the planning and execution of your data processing project.

Taking a risk-based approach to data protection

Considering the serious consequences of a data breach, taking a risk-based approach to data protection is a logical precaution. If your business collects, controls or processes data relating to individuals then it is important to understand your legal obligations and take whatever actions are appropriate.

Performing a DPIA will help ensure that your security measures are efficient and effective. It also means that you won’t waste time and resources on threats that are very unlikely to occur or would have a low negative effect on the individuals involved.

By conducting a DPIA in the initial stages of a project you can identify and address potential problems as early as possible. Taking a pre-emptive approach will have several benefits:

  • Problems can be identified before you begin processing
  • You can create a plan to address any potential problems
  • It is usually cheaper and easier to deal with issues at an early stage of a project – rather than changing your processing system later on
  • GDPR awareness will be increased within your business
  • You will be far less likely to breach data regulations

Is conducting a DPIA mandatory?

A DPIA is not a mandatory requirement in every processing project but is dependent on the circumstances and the type of processing involved.

A DPIA is mandatory when data processing is likely to result in a high risk to the rights and freedoms of individuals.

Individuals have the right to data protection and privacy, and controllers have an obligation to ensure those rights are protected and to comply with GDPR.

If your data processing is likely to endanger the rights of the data subjects, then a DPIA is required by law.

If it is not clear if a DPIA is required or not, then it is recommended that one is carried out anyway. A DPIA is a good way to demonstrate your legal compliance with GDPR.

DPIA and new technology

Conducting a DPIA is particularly relevant when new data processing methods or technology are being used. Using new technological systems or innovative solutions may create a risk to the rights of individuals and should be accurately assessed before implementation. This could include such things as fingerprint or facial recognition technology, fitness apps and similar software applications. Any novel ways of collecting or using data can trigger the need for a DPIA.

DPIA and large-scale processing

Although not clearly defined, processing on a large scale may mean the number of data subjects, the size of the portion of the population, the geographical extent as well as the volume of data being processed, and the duration of the processing. Large processing operations may present large-scale risks and require a DPIA to assess.

DPIA and systematic monitoring

Monitoring systems pose a particular threat as individuals may not be aware that they are being monitored, or be able to avoid being monitored, for example, CCTV cameras in public places. The data collected, held, and processed may risk the rights of subjects. Social media data gathered for generating a profile, camera monitoring of employees, and internet activity are all examples of systemic monitoring. A DPIA will help assess and mitigate any risk.

DPIA and vulnerable data subjects

Vulnerable subjects could mean the elderly, children, asylum seekers, employees, individuals with mental illness, hospital patients etc. In these cases, there may be a power imbalance between the data controller and the data subject. The subject may not be capable of knowingly consenting to (or opposing) the processing of their personal information. A DPIA is required due to the inherent high risk in these circumstances.

DPIA and sensitive data

Sensitive or personal data may include medical or criminal records, financial data, location details, private communications such as emails, and more. Any personal data that is collected poses a risk to the data subject so a DPIA may be necessary to assess the data collection and usage.

When is a DPIA not necessary?

There are circumstances where a DPIA may not be needed. A publication which uses a mailing list to send a generic message to subscribers is not likely to require a DPIA. Similarly, a website which uses limited profiling to display adverts, based on a subject’s purchasing or browsing on its own website, would not trigger a DPIA. In such cases, the data controller should consult with the data protection officer and record the reasons for not carrying out a DPIA.

In summary

A DPIA is an invaluable process to assess and manage risks to the rights and freedoms of data subjects (individuals). The purpose of the DPIA is to identify potential risks and enable controllers to find ways to mitigate the risks. A DPIA helps controllers to be compliant with GDPR and to demonstrate legal compliance.

What to do next:

  • Please contact us now and let us remove the stress of managing data compliance in your business.  
  • We handle the complete scope of any data privacy impact requirement

How much will this cost?

A DPIA can vary depending on the size and scale of the project or processing activity.

A minor DPIA can take as little as half a day, which includes the time we spend auditing and learning the data flows in the environment, ahead of drafting the document.

A significant DPIA for a high-risk activity can take several months of drafting, analysis of the results and then re-drafting to address any undue risks.  Where the rights and freedoms of individuals cannot be mitigated by the DPIA, you may need to engage and liaise with the appropriate Supervisory Authority (UK ICO).

Our standard fees are £175 per hour if conducted as a one-off project. If part of a wider engagement, our fees are reduced to £150 per hour. If our Senior Global Privacy Consultants are required for the more complex, multi-territorial engagements, fees are £250 per hour.


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.