Guide: DPIA Policy

A policy is a statement of management’s intent, and is usually supported by a more detailed procedure or protocol. It’s good practice to have a policy that covers your organisation’s approach to Data Protection Impact Assessments (DPIAs). The following is a suggestion towards compiling your own policy.

Data Protection Impact Assessment (DPIA) Policy

Introduction (some call this the Policy Statement)

Indicate, broadly, the volumes and kinds of personal data your organisation processes and how this relates to compliance with the GDPR. Indicate that, adherence to the policy will help identify when a DPIA is required. Indicate that the policy must be followed at the very early planning stages of new projects and run, together with the DPIA procedure, alongside the project plan.


To whom does the policy apply?

any department/service which is introducing a new or revised service or changes to a system, process or information asset which includes processing personal data.

project managers, contracts and procurement, research, IT services etc.

partners and contractors must also have a compliant policy, else they adopt yours

individuals (data subjects) who might be impacted by the changes


Describe the elements that are relevant:

a DPIA; personal data; special category data; criminal data; processing; prior consultation; risk, profiling, automated decision making; systematic monitoring etc.

Duties and Responsibilities

Leadership – policy implementation and oversight

DPO and Data Protection Team – implementation, monitoring and review of the procedure

Staff – to be aware of and fulfil their responsibilities as appropriate

Does failure to adhere to the policy attract possible disciplinary action?

DPIA Procedure

Provide a high-level overview of your actual DPIA procedure/process.

Initiation, why you may not need to; why you do need to; lawful bases; processing; risk assessment and treatment; approval structure; engagement with the supervisory authority etc.

Associated documents

Such as your data protection policy, data sharing policy, risk management framework etc.

Policy review

When your policy was last reviewed and approved.

The content herein is provided for your convenience and does not constitute legal advice.

Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.