What is a Data Protection Impact Assessment & When Do We Need One?
A data protection impact assessment is designed to identify and reduce the risks involved in a particular project you intend to carry out.
We’ll help your organisation conduct a Data Protection Impact Assessment (DPIA) and can assist with ongoing compliance.
When do we need a DPIA? Data Protection Impact Assessment Services for UK Organisations.
If you’re launching a new system, using AI or biometric services such as facial recognition or fingerprint identification to monitor employees, or handling special category data, this will trigger a legal requirement to carry out a Data Protection Impact Assessment.
Are you aware that it’s the data controllers responsibility to carry out a DPIA.
We help you assess the risks involved, decided if a DPIA is right approach and carry out and document your reasoning, and ensure your approach aligns with the UK GDPR and the Data Protection Act 2018.
Clara Westbrook
25+ Years PQE
Founder | Qualified Solicitor | Data Protection Specialist
079 7693 9016
Benefits of carrying out a DPIA
Did you know, the first document the ICO will want to see is a data protection impact assessment. A DPIA is also often the first step in cyber security and forms part of a robust cyber security framework.With a clear and properly documented assessment, your organisation builds trust and reduces risks.
- Identify and reduce risk early: A DPIA highlights potential issues before a project goes live, allowing risks to be addressed proactively rather than retrospectively.
- Builds trust: Signals that you take data security seriously and increases trust.
- Support better decision-making by making informed decisions.
- Increases awareness of data processing: Taking a considered approach to how personal data is used demonstrates. accountability and can strengthen confidence in your organisation.
Did you know: You can carry our a DPIA yourself. The ICO has a DPIA template here.
Do you need a DPIA?
This service is designed for organisations introducing new systems or carrying out processing that may create a high risk to individuals. It will also be required for organisations changing how their existing data is going to be used. The following list identifies common triggers for an assessment, aligned with the ICO’s list of high-risk processing.
You are likely to need a DPIA if one or more of these below points apply:
- Introducing new systems or technology such as facial recognition or fingerprint ID
- Using AI or automated decision-making such as screening candidates or analysing employee performance using AI Profiling customers or making automated decisions
- Monitoring individuals emails, activity, or communications, using CCTV or tracking systems in the workplace
- Processing of special category data such as health, biometric, or criminal offence data, employee wellbeing or occupational health records, data revealing race, religion, or trade union membership
- Processing data at scale or combining datasets for example handling large volumes of customer or employee data, linking or combining multiple data sources
DPIA timelines
A DPIA can take between 1 and 4 weeks to conduct and depends on the nature of processing you carry out as well as existing documents you have in place. A DPIA document should be updated as the projects you work on change through time.
Assess > Identify Risk > Document & Advise
Our 3-step DPIA approach
We provide a clear, structured approach to ensure your Data Protection Impact Assessment is completed efficiently and stands up to regulatory scrutiny.
1. Assess
Briefly tell us about your situation. We’ll review the scope of your data request, identify potential risks, and provide a clear, fixed-price quote within 24 hours.
2. Identify Risk
We assess the potential impact on individuals, highlighting key risks and where safeguards are required.
3. Document & Advise
We produce a clear, structured DPIA and advise on practical steps so your project can proceed with confidence.
Costing structure
We offer both a fixed fee and variable pricing. If you have any specific requirements please get in touch.
Fixed Fee | From £750 – £2,500 + VAT | Ongoing |
Hourly Rate | £375 +VAT | Ideal for one-off projects |
Daily Rate | From £1,000 + VAT | Ideal for long-term pieces of work which may take a few days to a few weeks |
Retainer | Ongoing | Ideal for ongoing legal support |
When a DPIA may not be required
Not all processing requires a full assessment. Our criteria for non-requirement follow the ICO guidance for small organisations, ensuring your business stays compliant without unnecessary paperwork.
- The processing is low risk
This may be routine processing that does not significantly impact the rights and freedoms of the individuals involved. For example: payroll processing for employees, HR record keeping, maintaining a customer contact list. - The processing is already covered
Where a similar DPIA has already been carried out for the same or substantially similar processing. Such as rolling out an existing HR system across another department without changes. - Legal purposes
Situations involving national security, defence, or certain criminal investigations. Processing is for a specific legal basis such as police or tax authorities. - The processing is necessary and proportionate with minimal impact
Where there is limited scope for risk to individuals’ rights and freedoms.
Why choose us
We are a solicitor-led organisation with over 25 years’ experience in data protection and privacy law. We regularly support organisations carrying out DPIAs for high-risk projects, including new systems, employee monitoring, and AI-driven processing. We support organisations in Woking, Surrey and across the UK with practical data protection advice.
We’ve worked with organisations across multiple sectors including WarnerMedia, Yum! Brands, Burberry, Expedia and Société Générale on their data protection requirements including data protection impact assessments (DPIAs).
Request a DPIA consultation
Speak directly with a data protection solicitor +44 (0)79769 39016 (9:00 am – 6:00 pm UK time). If you would like us to call or email you, please leave your details, and we will be in touch.
Westbrook Data Protection Services Limited,
2nd Floor, Midas House, 62 Goldsworth Road Woking, Surrey, GU21 6LQ
View our Privacy Policy here
Explore more data protection and privacy services
Our team have a deep understanding of the following areas of law and continue to add value to our clients’ businesses.
Latest Insights
- Changes to employment law and the rise in Subject Access Requests
Changes to employment law and the rise in Subject Access Requests Employment Rights Act From […] - Court of Appeal’s Ruling on strengthened data privacy rights
Farley v Paymaster – Court of Appeal Boosts Data Subjects’ Rights to Compensation for Non-Material […]