The following list details processing operations for which the ICO requires you to complete a DPIA as they are ‘likely to result in high risk’. It is based on guidelines adopted by the European Data Protection Board (EDPB) on DPIAs (WP248rev01). Our list therefore complements and further specifies these guidelines.
For illustration, we have also included examples of existing areas of application. These should not be taken as definitive or exhaustive. In any event, this list does not affect your overriding obligation in Article 35(1), which is to assess any proposed processing operation against the requirement to complete DPIAs. The ICO also considers it best practice to do a DPIA, whether or not the processing is likely to result in a high risk.
| Type of processing operation(s) requiring a DPIA | Description | Non-exhaustive examples of existing areas of application |
|---|---|---|
| Innovative technology | Processing involving the use of new technologies, or the novel application of existing technologies (including AI). A DPIA is required for any intended processing operation(s) involving innovative use of technologies (or applying new technological and/or organisational solutions) when combined with any other criterion from WP248rev01. |
|
| Denial of service | Decisions about an individual’s access to a product, service, opportunity or benefit which are based to any extent on automated decision-making (including profiling) or involves the processing of special- category data. |
|
| Large-scale profiling | Any profiling of individuals on a large scale |
|
| Biometric data | Any processing of biometric data for the purpose of uniquely identifying an individual. A DPIA is required for any intended processing operation(s) involving biometric data for the purpose of uniquely identifying an individual, when combined with any other criterion from WP248rev01 |
|
| Genetic data | Any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject. A DPIA is required for any intended processing operation(s) involving genetic data when combined with any other criterion from WP248rev01 |
|
| Data matching | Combining, comparing or matching personal data obtained from multiple sources |
|
| Invisible processing | Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14.5(b). A DPIA is required for any intended processing operation(s) involving where the controller is relying on Article 14.5(b) when combined with any other criterion from WP248rev01 |
|
| Tracking | Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required for any intended processing operation involving geolocation data when combined with any other criterion from WP248rev01 |
|
| Targeting of children/other vulnerable individuals for marketing, profiling for auto decision making or the offer of online services | The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. |
|
| Risk of physical harm | Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals. |
|