Data Protection Impact Assessment meaning

This Flowchart This Flowchart supports your decision on whether a data protection impact assessment (DPIA) is necessary when initiating a new project that involves personal data from the outset, helping you decide effectively. It sets out: three scenarios in which a DPIA is mandatory under Article 35(3) of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR); and ten further processing activities for which the Information Commissioner’s Office (ICO) requires a DPIA to be carried out Where a DPIA is not needed, you should think about using a simpler form of review, which we call a privacy impact assessment (PIA) instead. The Flowchart enables you to determine which assessment—DPIA or PIA—best fits your project in practice. For additional guidance on DPIAs and PIAs, see Practice Note: How to complete a data protection impact assessment—DPIA...

This flowchart shows how to determine whether you need to carry out a data protection impact assessment (DPIA) for a specific project, and the steps to complete one if required. It also outlines post‑DPIA tasks, including weaving the DPIA’s findings into your project plan and keeping the assessment under review. See also Precedents: Data protection impact assessment—DPIA and Data protection impact assessment—DPIA—short form, which draws on a template issued by the Information Commissioner’s Office (ICO). The ICO’s comprehensive Data Protection Impact Assessments guidance sets out seven steps to running a DPIA. This flowchart is designed to cover those seven stages, and it also mirrors the ICO’s expectations for post‑DPIA activity, namely: integrating the outcomes of your DPIA into your project plans, and monitoring the ongoing performance of the DPIA Note 1: Identify the need for a DPIA If you have a data protection officer (DPO), seek their advice. For further information, see Practice Note: How to complete a data protection impact...

Flowchart No pharmaceutical product can be marketed without prior authorisation. This Flowchart describes the steps to obtain such approval, termed a marketing authorisation (MA), via the EU centralised route as set out by the procedure...

This data protection impact assessment (DPIA) relates to view and prove, one of three online services that lets people with an immigration status confirm and share their status online. This DPIA relates to ‘view...

In this issue: New technologies Internet Data protection Media Advertising, marketing and sponsorship Reputation management Telecommunications LexTalk®TMT: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information New technologies DSIT releases report and impact assessment on copyright and artificial intelligence DSIT, the Department for Culture, Media and Sport (DCMS) and the Intellectual Property Office have jointly issued a report and an impact assessment exploring the use of works protected by copyright in the training and development of AI systems. These have been published pursuant to sections 135 and 136 of the Data (Use and Access) Act 2025. See: LNB News 18/03/2026 44. EDPS unveils Compass on supervision and enforcement under the EU AI Act The European Data Protection Supervisor (EDPS) has released its Compass setting out its expanded role under the EU AI Act as a market surveillance authority...

In this issue: UK, EU and international regulators and bodies Prudential requirements Risk management and controls Operational resilience Financial crime and sanctions Complaints, compensation and claims management Investigations, enforcement and discipline Regulation of capital markets Sustainable finance and ESG Banks and mutuals Investment funds and asset management Consumer credit, mortgage and home finance Regulation of insurance Payment services and systems Fintech and cryptoassets Regulation of AI in FS Dates for your diary New and updated content Financial Services Enforcement Database Daily and weekly news alerts LexTalk®Financial Services: a Lexis®Nexis community UK, EU and international regulators and bodies ESAs publish spring 2026 joint risk update The three European Supervisory Authorities—the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority—have released their Joint Committee spring 2026 update examining risks and vulnerabilities across the EU financial system....

ARCHIVED: This retired Practice Note outlines details about the EU General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR), as it operated in the UK before 11 pm on 31 December 2020. From that point, it is retained strictly for background purposes only and is no longer updated or maintained. For advice on the amendments to UK data protection law introduced by the replacement UK GDPR from that date, consult Practice Notes: The UK General Data Protection Regulation (UK GDPR), The UK General Data Protection Regulation (UK GDPR)—Navigator and Brexit—implications for data protection [Archived]. Brexit On 31 January 2020, the UK left the EU and entered an implementation period up to 11 pm on 31 December 2020, during which it remained bound by EU law for the entire duration of that period. Throughout that time, the EU General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR), continued to apply in the UK, and the UK was broadly regarded as an EU (and EEA) state for EEA and UK...

The impact of the EU GDPR on M&A transactions Overview of legislation and key M&A considerations The EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), took direct effect and became fully enforceable across all EU Member States on 25 May 2018. It delivered significant changes to EU data protection law and superseded Directive 95/46/EC (the Data Protection Directive). The EU GDPR regulates the processing of personal data, confers rights on data subjects whose information is handled, and imposes obligations on controllers and processors alike. It is a complex, principle‑driven regime. Seven core data protection principles underpin the EU GDPR, set out in Article 5, and controllers dealing with personal data must adhere to them. See Practice Note: EU GDPR—data protection principles. Personal data and technology are now central to most organisations, as the majority handle information relating to employees, customers/clients, suppliers and others. Data is a strategic and valuable corporate asset and can therefore be decisive to the valuation of a target group or...

What is BYOD? BYOD describes arrangements allowing an organisation’s employees to connect to the corporate IT network with their own communications devices for specified, work-related purposes. Such arrangements may extend to laptops, tablets and smartphones. This Practice Note focuses on BYOD in the employment relationship. Key risks and benefits of BYOD Cost Cost is a central consideration. Potential benefits Reduced organisational spend by avoiding procurement, replacement and day-to-day management of devices for employees. Depending on how costs are shared, lower outgoings on service charges. Potential downsides and risks The organisation must still invest in technical solutions, training and ongoing support so staff can access BYOD, which in some cases could make the approach more expensive overall. Ending the purchase of employee devices under existing agreements with a communications provider—where products and services are often bundled—may diminish discounts applied to other product or service lines. Accordingly, it is important to assess and review current...

1 Management and organisational information security ICO expectation and current status Further details: LexisNexis® Precedents Your business identifies, evaluates and controls information security risks Not yet implemented or planned Partially implemented or planned Successfully implemented Not applicable Before deciding the right level of protection for your organisation, audit the personal data you hold and gauge the threats to it. Review every stage of handling: collection, storage, use, sharing and disposal. Weigh the sensitivity or confidentiality of the data and the potential harm or distress to people, alongside any reputational impact on your business, if a breach occurred. With this understanding, select security controls proportionate to your needs. Embedding data protection by design also means undertaking a data protection impact assessment (DPIA) in defined scenarios to evaluate privacy risks. You must complete a DPIA prior to initiating any processing that is ‘likely to result in a high risk’...

Introduction [ Provide a concise overview of the project to which this consultation relates, including as appropriate: ] [ —a short introduction to your organisation ] [ —the subject you are consulting on ] We invite you to take part in our consultation, running for [ insert number ] weeks from [ insert date ] to [ insert date ]. This consultation offers you the chance to comment on [ insert details ]. Your views matter to us. Please use this form to share your feedback. Complete as many sections as you wish and send it to: [ insert address ]. We will also accept feedback by email, letter and telephone (see Contact details below)...

STOP PRESS We are revising this document to account for the coming into force of the Data (Use and Access) Act 2025 (DUAA 2025), which updates the UK GDPR and the Data Protection Act 2018. For fuller guidance on DUAA 2025’s compliance impact, see Practice Note: Data (Use and Access) Act 2025—compliance implications. 1 Background information Data transfer status ☐ Proposed ☐ Existing Assessor(s) [ Insert name ] Assessment date [ Insert date ] 2 Parties to the data transfer Who is the data exporter? [ Specify which organisation is the data exporter; this could be an entity within a group structure ] To whom will the data be sent (data recipient)? [ Indicate who will receive the data ] What role does the data recipient hold for the intended transfer? ☐ Controller ☐ Processor What kind of organisation is the recipient? ☐ Public sector organisation ☐ Private sector organisation ☐ Other [ give...