Help Centre

A Data Protection Impact Assessment (DPIA) is required under UK GDPR Article 35 when processing is "likely to result in a high risk" to individuals. Failing to conduct a mandatory DPIA can result in ICO enforcement action and fines.

Processing that always requires a DPIA

• Systematic and extensive profiling or automated decision-making with significant effects.
• Large-scale processing of special category data (health data, biometrics, ethnicity) or criminal conviction data.
• Systematic monitoring of a publicly accessible area (e.g. CCTV covering public spaces).
• New NHS digital health services or apps processing patient data.
• Any processing using new technologies where the privacy risks are not yet fully understood.

The ICO's 9 screening criteria

A DPIA should also be conducted if your processing meets two or more of the following ICO criteria:

1. 1 Evaluation or scoring (including profiling).
2. 2 Automated decision-making with legal or similarly significant effects.
3. 3 Systematic monitoring.
4. 4 Sensitive data or data of a highly personal nature.
5. 5 Data processed on a large scale.
6. 6 Matching or combining datasets.
7. 7 Data concerning vulnerable data subjects (children, patients, employees).
8. 8 Innovative use or applying new technological or organisational solutions.
9. 9 Data transfer across borders outside the UK.

What "large scale" means

There is no fixed threshold. The ICO considers: the number of data subjects, the volume of data, the geographical extent, and the duration of processing. An NHS Trust processing patient data for a catchment area of 500,000 people is clearly large scale. A sole trader's client list of 200 names is not.