A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It  is particularly relevant when a new data processing technology is being introduced.

It should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

Conducting a DPIA doesn't have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

There is no definitive DPIA template that you must follow. You can use our suggested template if you wish, or you may want to develop your own template and process to suit your particular needs, using our guidance as a starting point.

To access full advice on DPIAs, along with useful resources and a template, visit ico.org.uk/sme and enter 'Data protection impact assessments | ICO' into the search bar.