Test Your Knowledge on Data Protection Impact Assessments and GDPR Compliance

The UK GDPR has been retained in UK law and will continue to be read alongside the Data Protection Act 2018. If you transfer or receive data from overseas, please visit the End of Transition and International Transfers pages. There will not be any significant change to the UK data protection regime or to the criteria that compel Data Protection Impact Assessments (DPIAs) on 1 January. DPIA is a way to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. DPIAs are a legal requirement for processing that is likely to be high risk. You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals. A DPIA may cover a single processing operation or a group of similar processing operations. You should embed DPIAs into your organisational processes and ensure the outcome can influence your plans. You don’t need to send every DPIA to the Information Commissioner's Office (ICO), but you must consult the ICO if your DPIA identifies a high risk and you cannot take measures to reduce that risk. You need to send the ICO a copy of your DPIA.