Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a process designed to help all organisations identify and minimize any risks to privacy posed by new or changed services, procedures or policies. Such data protection and privacy obligations are a key part of the new data protection legislation and its emphasis on ‘privacy by design’, which means that all new processes should consider the implications for data protection and privacy from the start, and not deal with them as an after-thought.  

PIAs are mandatory under the UK General Data Protection Regulation (UK GDPR) for processes and technologies that are likely to result in higher or altered risks to the rights of data subjects. 

The Information Commissioner’s Office (ICO) advises that they should be built into an organisation’s procedures as an “integral part of taking a privacy by design approach”.  PIAs can help identify and remedy data privacy or security issues at an early stage.

The ICO has detailed web pages containing information and advice regarding PIAs:

In order to establish whether a PIA is required, please complete this form Privacy Impact Assessment Screening Form

If a PIA is necessary, you will, at the very least, need to complete the assessment form Privacy Impact Assessment

For more specific advice please contact Information Governance at