Data protection impact assessment

Where the type of processing carries a high risk of infringing individuals’ rights and freedoms, particularly where it uses new technology, the data controller must carry out an impact assessment before beginning any processing. In doing so, it must seek advice from the data processing officer (if there is one – see below).

A data protection impact assessment (DPIA) will always be required where there is:

• a systematic and extensive evaluation of someone which is based on automated processing, including profiling if this has legal or similarly significant consequences for that person;

• processing on a large scale of special categories of data or personal data relating to criminal convictions and offences; or

• systematic monitoring of a publicly accessible area on a large scale.

The ICO must make public a list of the kind or processing operations that require a DPIA, and may make public a list of those that do not require one.

If the DPIA indicates that there is a potentially high risk to individuals’ rights, the data controller must consult the ICO before carrying out any processing.