Data Protection Impact Assessment (DPIA)
UK GDPR requirement to assess data protection risks before high-risk personal data processing begins.
Definition
A Data Protection Impact Assessment (DPIA) is the UK GDPR / Data Protection Act 2018 requirement to assess data protection risks before high-risk personal data processing begins. The data controller (typically the contracting authority) is responsible for the DPIA but typically asks suppliers to support preparation. High-risk processing includes special category data, large-scale processing, novel technology, systematic monitoring of public areas, and automated decision-making with significant effects.
How it works in practice
A DPIA documents: the nature, scope, context, and purposes of processing; the necessity and proportionality of processing relative to the purpose; risks to data subjects (privacy, security, discrimination, exclusion); and mitigation measures to reduce risk. For procurement involving high-risk personal data processing the DPIA is typically completed during the procurement design phase (the authority assesses the requirement against DPIA need before publishing the notice) and updated when the supplier is selected (incorporating supplier-specific technical and operational details). Suppliers should be prepared to contribute technical detail to the DPIA: how the processing will be implemented, what security measures will apply, how data subject rights will be supported, what supplier sub-processors will be involved, and how the processing will be monitored. ICO guidance on DPIAs is detailed and includes templates; mature buyers and suppliers follow ICO guidance closely. Failure to complete a DPIA where required is a regulatory breach with penalty exposure; flawed DPIAs surface as compliance gaps later. The KimonBids compliance module surfaces DPIA-relevant contract requirements at the bid stage so suppliers can plan their contribution.
Common questions
Who is responsible for the DPIA in a procurement context?
The data controller is responsible: typically the contracting authority. The authority can ask suppliers to support preparation by providing technical and operational detail. Joint controllership arrangements give different parties shared DPIA responsibility.
When is a DPIA required?
For high-risk personal data processing: special category data, large-scale processing, novel technology, systematic monitoring of public areas, automated decision-making with significant effects. ICO published guidance on the specific triggers; in practice authorities run DPIA whenever processing significantly affects data subjects.
Can a DPIA approve any processing?
No, the DPIA documents risks and mitigation but the authority must still decide whether to proceed. Where DPIA identifies high residual risk after mitigation the authority should consult the ICO before proceeding. Some processing is so high-risk that DPIA-based mitigation is insufficient and the processing should not proceed.