
- RISK PROBABILITY AND IMPACT ASSESSMENT EXAMPLE UPDATE
- RISK PROBABILITY AND IMPACT ASSESSMENT EXAMPLE OFFLINE
☐ We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing. ☐ process personal data that could result in a risk of physical harm in the event of a security breach. ☐ process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them
RISK PROBABILITY AND IMPACT ASSESSMENT EXAMPLE OFFLINE
☐ process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines ☐ process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines ☐ combine, compare or match data from multiple sources ☐ process biometric or genetic data in combination with any of the criteria in the European guidelines ☐ use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit ☐ use innovative technology in combination with any of the criteria in the European guidelines ☐ systematically monitor a publicly accessible place on a large scale ☐ process special-category data or criminal-offence data on a large scale ☐ use systematic and extensive profiling or automated decision-making to make significant decisions about people ☐ We always carry out a DPIA if we plan to: ☐ processing that involves preventing data subjects from exercising a right or using a service or contract. ☐ innovative technological or organisational solutions ☐ processing of data concerning vulnerable data subjects ☐ processing of sensitive data or data of a highly personal nature ☐ automated decision-making with significant effects ☐ We consider whether to do a DPIA if we plan to carry out any other: ☐ We consider carrying out a DPIA in any major project involving the use of personal data. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

You can use our screening checklists to help you decide when to do a DPIA. This includes some specified types of processing. You must do a DPIA for processing that is likely to result in a high risk to individuals.A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.Click here to contact the ICO about your DPIA.

Please continue to monitor our website for updates.
RISK PROBABILITY AND IMPACT ASSESSMENT EXAMPLE UPDATE
We will keep this guidance under review and update it as and when any aspect of your obligations or our approach changes. This guidance draws on European resources which we still consider to be relevant, and so these resources remain part of our DPIA guidance. On 01 January, there will not be any significant change to the UK data protection regime, or to the criteria that compel DPIAs. You should make sure you can identify any data you collected before the end of 2020 about people outside the UK, for further information, see our Q&A on Legacy Data. If you transfer or receive data from overseas please visit our End of Transition and International Transfers pages. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. The Brexit transition period ended on 31 December 2020. International data transfer agreement and guidance International transfers after the UK exit from the EU Implementation Period

Ransomware and data protection compliance Rights related to automated decision making including profiling
