DPIAs: checklist and what you need to know

A data protection impact assessment is a legal requirement undertaken when data processing may result in a high risk to individual rights. Caroline Collins explains what they involve and how to do one

Author details

Caroline is the Head of School Business Strategy and Resources at Miles Coverdale Primary School in London. 

Privacy by design is a term used in data protection to acknowledge that data privacy is embedded in the design of projects. In short, protecting the personal data of individuals must be considered and assessed before any new data processing takes place.

Schools are familiar with risk assessments and complete these for things such as school premises, off-site activities and after-school clubs. A DPIA is effectively a risk assessment and should be seen in the same way – a resource to ensure your pupils, parents and staff are not put at risk because their data is being processed.

Like risk assessments, there are five key steps to a DPIA.

  1. Identify potential hazards
  2. Decide who might be harmed and how
  3. Evaluate the risks and identify reasonable precautions
  4. Record findings
  5. Review the assessment

Risk assessments are usually made through a scoring system of low, medium and high. The DPIA may be scored in the same way.

Failure to conduct a DPIA is considered a breach of the GDPR.

When does a DPIA need to be undertaken?

A DPIA is undertaken when your school is planning a project that involves the processing of personal data. Some examples of this are below.

  • Changing the school’s management information system.
  • Entering into a contract with a new provider that processes data on behalf of the school (e.g. catering provision, online payment providers, online communication providers).
  • Purchasing a web monitoring system.
  • Purchasing a data tracking software package.
  • Using cloud-based storage.
  • Providing data to a family services centre.
  • Implementing CCTV.

You can use a list of screening questions to help you decide when to do a DPIA.

If you believe that processing data is likely to result in a high risk to the rights and freedoms of individuals, or if you are unsure if there is a high risk, then you must undertake a DPIA.

By adopting a privacy by design approach, you can be satisfied that no new data processing will take place without an impact assessment being conducted.

Conducting a DPIA

The lead person of the new project should undertake the DPIA before it is signed off by the data protection officer (DPO). In turn the DPO should ensure that the risks identified are accurate and confirm the DPIA requirements. 

The Information Commissioner’s Office (ICO) has published a template DPIA. The DPIA looks at:

  • the aims of the project and what processing is involved
  • how the processing will be collected, used, stored and deleted
  • the sources of the data
  • the nature of the data and whether it includes sensitive data
  • the context of the processing
  • the purpose of the processing
  • how you will consult with stakeholders
  • compliance and proportionality (the lawful basis) – can the outcome be achieved in another way?

Step five of the template allows the user to rate the likelihood and severity of harm which, in turn, will determine the overall risk.

Once the risk has been determined the user can identify additional measures that can be taken to reduce or eliminate those risks that came out as medium or high and record them on the template.

Alternatively, you can use your existing risk assessment template and adapt it to relate to data protection.

Completing the DPIA

Once the DPIA has been completed by the lead person the DPO should review it and satisfy themselves that the steps identified to mitigate risk have been implemented.

For example, if the school has decided to use a new text messaging service provider, the DPIA would stipulate that a written contract with the provider will be entered as an additional measure to minimise risk. The DPO must check that the written contract has been received. 

If the school has decided to change their management information system, the DPIA would include measures such as:

  • the minimal number of personnel involved in the move
  • a contract from the new provider
  • confirmation from the outgoing supplier that data will be erased upon ceasing use.

When the DPO is satisfied that the DPIA is accurate and that the additional measures to minimise the risk to individuals have been implemented, they will sign a DPIA completion statement and file it in the DPO files.

Only at that point should the lead person be given approval for the project to go ahead. Approval should be recorded on the DPO’s data asset register and reported to governors.


DPIAs are important because they help you to make sure that any new projects involving data protection do not put individuals at risk.

They should be treated in the same way as a risk assessment. Schools should adopt the privacy by design approach so that data protection is taken into consideration from the outset and risks are minimised.

Last Updated: 
18 Jun 2019