Content requirements

Clause 64(3) DPA specifies the content requirements for DPIAs. Accordingly, a DPIA must contain the following information:

  • general description of the envisaged processing operations,
  • assessment of the risks to the rights and freedoms of data subjects,
  • measures envisaged to address those risks,
  • safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

DPIA list of the UK’s supervisory authority

ICO has published a list specifying the examples of processing activities, that are likely to result in high risk. Among others, the list includes the following processing operations:

  • Artificial intelligence, machine learning
  • Autonomous vehicles
  • Smart technologies, including wearables
  • Credit checks
  • Mortgage or insurance applications
  • Hardware or software offering fitness or lifestyle monitoring

The full list is available at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/.

Prior consultation

According to Clause 65 DPA, where the DPIA indicates a high risk, prior consultation with the ICO is required. ICO may advise (in writing) on how to proceed with the processing within 6 weeks after receipt of the request (may be extended by further 4 weeks).