(Project Name) Data Protection Impact Assessment
(Project Name) Data Protection Impact Assessment
ASSESSMENT REPORT
[Project name]
Data Protection Impact Assessment
Report
<Day> <Month> <Year>
NOTE:
This template is provided as an example of the key types of information that can be
considered during the DPIA process. Adjust it as necessary to fit your organisation’s
needs.
Page 1 of 14
Data Protection Impact Assessment Report – Contents
4. DPIA assessment......................................................................................................... 6
7. Action plan.................................................................................................................. 14
Page 2 of 14
1. Project summary (Describe the project and its context)
Describe the project and what it intends to achieve by addressing the following key
points:
• Describe the project as a whole
• Where does the DPIA sit within the project?
• What is the purpose of doing a DPIA?
• What is the organisation trying to achieve with this project?
• Is the project a one-off initiative or part of ongoing business development?
• How does the organisation currently manage DPIAs? Show where the change that
the project involves will fit with your current systems.
Page 3 of 14
2. Scope of the DPIA
2.1 Scope
Describe what the DPIA covers and what it doesn’t cover. For example:
• What parts of the organisation, project, systems, or IT infrastructure are
included?
• What is the information-management processes that the DPIA will consider
(such as use, storage, access, retention and disposal)?
• What are the limitations of the DPIA? For example, it might not cover the
use of personal information by a third party if there is no direct control or
agreement in place to manage the relationship.
Describe the rationale for the scope of the DPIA and for the process that was
followed.
Page 4 of 14
3. Personal information
Identify and describe the type of personal information involved and what is happening with
it.
However, the level of sensitivity and the level of impact on individuals will affect
whether your information handling is likely to breach the law, or whether there are
other data protection risks that need to be mitigated.
Identify the personal information involved and document the flow of this information through
your systems and processes. An information flow diagram is often the clearest way to do
this.
Describe both the current and future information flows so that the differences are visible at
a glance.
Page 5 of 14
4. DPIA assessment
The principles in the Data Protection Act provide the legal framework that your organisation
has to consider. This section lets the decision-makers see at a glance whether the policy or
proposal will comply with the law.
Each row in the following table summarises the key requirements of each of the data
protection principles and outlines some key questions or considerations you should
address. A risk assessment table can help you identify the data protection risks relevant to
your initiative.
The accompanying Risk and Mitigation Table (see Appendix B) provides a more detailed
explanation of how the project fits with the data protection principles. Either cut and paste
from the Risk and Mitigation Table into this section of the DPIA Report (and then omit those
details from the “Risk assessment” section of this report, to save repetition), or provide a
brief overview here and then expand on it in the “Risk assessment” section.
It is still useful to consider the data protection principles even if your agency is one of the
few that doesn’t have to comply with the Data Protection Act (for instance, if you’re a news
agency collecting, using or publishing information for news purposes; or you’re a court or
tribunal exercising judicial functions). Your activity may be legally compliant, but
understanding how the Data Protection Act deals with a matter can better inform you as to
the likely data protection impacts of your proposal, and how data protection concerns can
best be accommodated.
Page 6 of 14
# Description of the Summary of personal Assessment Link to risk
data protection principle information involved, use of assessment
(These can be deleted from and process to manage compliance (if required)
your final report if they’re not
relevant to your project – but
you should at least consider
each principle)
Page 7 of 14
# Description of the Summary of personal Assessment Link to risk
data protection principle information involved, use of assessment
(These can be deleted from and process to manage compliance (if required)
your final report if they’re not
relevant to your project – but
you should at least consider
each principle)
Page 8 of 14
# Description of the Summary of personal Assessment Link to risk
data protection principle information involved, use of assessment
(These can be deleted from and process to manage compliance (if required)
your final report if they’re not
relevant to your project – but
you should at least consider
each principle)
Page 9 of 14
# Description of the Summary of personal Assessment Link to risk
data protection principle information involved, use of assessment
(These can be deleted from and process to manage compliance (if required)
your final report if they’re not
relevant to your project – but
you should at least consider
each principle)
Page 10 of 14
# Description of the Summary of personal Assessment Link to risk
data protection principle information involved, use of assessment
(These can be deleted from and process to manage compliance (if required)
your final report if they’re not
relevant to your project – but
you should at least consider
each principle)
Summary / Conclusions
Page 11 of 14
5. Risk assessment
This section describes the data protection risks you’ve identified through the DPIA process
and how you propose to mitigate and manage those risks. It can be useful to link this back
to the data protection principles to show why these risks and the proposed actions are
relevant.
Note: A DPIA doesn’t set out to identify and eliminate every possible data protection risk: its
role is to identify genuine risks that are not unreasonably small or remote.
In some cases, it may be helpful to categorise these actions into areas such as:
• governance
• people
• process
• technology
Categorising the proposed controls in this way helps to define where within the organisation
they will be managed.
Add a narrative summary of your risk assessment and options for mitigating those risks here.
Alternatively, attach a separate risk assessment document, such as one modelled on the
template in Appendix C. If you don’t want to attach the whole document, you can cut and paste
the relevant information into this section.
Document the risks in line with any existing risk management processes your organisation has
– it will be more efficient than trying to run a separate process.
Page 12 of 14
6. Recommendations to minimise impact on data protection
Summarise the recommendations to minimise the impact on data protection based on your risk
assessment
R-001
Page 13 of 14
7. Action plan
This section of the report should describe what actions are being taken (whether short or
long term) and how they’ll be monitored. There may also be links to other processes in the
organisation. For example, a proposed action might relate to security controls (such as
restricting access to a system). This will then link in with security processes in the
organisation.
Reporting on the outcome of the mitigation may be necessary. If the DPIA is being
performed as part of a project, then the project is likely to require some reporting on their
implementation as part of governance arrangements. Once the project is completed, any
on-going data protection monitoring should be incorporated into normal business
operations.
In the case of a particularly long or complex programme of work, the DPIA may need to be
reviewed a number of times to ensure that it continues to be relevant. This section should
describe how this will be achieved.
A-001
Page 14 of 14