Get a handle on the DPIA process: 7 steps to a great implementation of new systems

Data Protection Impact Assessments (DPIA) can be more straightforward than you think. Based on The U.K. Information Commissioner's Office’s (ICO) requirements, we give you a guide to do a great DPIA step-by-step. The DPIA process also ensures that new systems in your organisation are implemented legally.

Published: 
March 6, 2024
Gry Josefine Løvgren
Content Specialist

Read more about the author

Step 1: Identify the need for a DPIA

A DPIA is needed when there is a potential high risk for the people whose data you are holding. A high risk can be understood as, for example, systematic and extensive profiling, large-scale use of sensitive data, or public monitoring. The reasons can be many, but as stated by the ICO: “If in doubt, then you should probably do a DPIA”. 

Even if you do not have to do a DPIA, you still need to run through step 2 - 7 to make sure you comply with your obligations to keep a ROPA (Register of Processing Activities). However, it can be less extensive.

Step 2: Describe the processing

Once you’ve determined that you probably need to conduct a DPIA, it’s time to map out, step by step, what you will do with Ms. Brown’s data that you collected when she became a member of your organisation. How do you store it? Who has access to it? As well as the bigger picture: Why do you process this data? You need the nature, scope and context of your processing activity.

This step also helps you stay on top of your ROPA and comply with article 30 of GDPR.

Step 3: Consider consultation

This is where it gets a bit more comprehensive. However, it is an extremely important step. You should seek the opinion of the people, whose data is involved. What is Ms. Brown most concerned about when sharing her personal data with you? Design a consultation process to seek the views of those particular individuals or their representatives.

Step 4: Assess necessity and proportionality

Consider how you ensure data protection compliance. What is your lawful basis for processing? Does the processing achieve your purpose?

Again, this step is also crucial for managing your ROPA.

Step 5: Identify and assess risks

Risks play a crucial role in data protection. Whether you are obliged to do a DPIA or not, you should always assess and identify risks associated with the new system and the processing of data.

What is the worst thing that can happen to your data subject? Loss of control over one's data? Discrimination? Identity theft? Physical harm? You need to consider both the likelihood and severity of possible harm.

Step 6: Identify measures to mitigate the risks

In step 6 you describe how you are going to prevent harm from happening. Maybe it's deciding not to collect certain types of data, or maybe it's taking additional technological or organisational security measures. Ask your DPO for advice on this matter.

Step 7: Sign off and record outcomes

You have made it to the (tentative) end of your DPIA process. Remember that you do not always have to eliminate every possible risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. Get your DPO’s advice before signing off.

That’s it. You are now one step closer to creating a safe environment for the data of your subjects and ensuring sustainable compliance in your organisation.

In Wired Relations, we support you through all seven steps of your DPIA. We assist you in organising and documenting the entire process when implementing new systems.

Book a demo to see the workflow in practice.

Mastering the DPIA process - download a free Master Class

The DPIA process is crucial whenever your organisation considers a new system or a new process. We’ve created an online Master Class in mastering it. You’ll learn how to set up your organisation for the process, how to collaborate with your organisation and how to do the individual steps effectively. The Master Class is divided into two online courses, each consisting of one-hour sessions.

Download the recorded Master Class here:

Masterclass I - Diving into the steps to take

Masterclass II - Seuring buy-in and collaboration


For more inspiration, read this example of a completed DPIA

Your roadmap to achieving DPIA excellence

We’ve gathered our top insights on securing a successful DPIA process. It includes step-by-step guides, cheat sheets for getting management buy-in, and expert tips to make DPIAs a seamless part of your data protection strategy.

Download e-book