A Data Protection Impact Assessment (DPIA) is a formal approach to considering the risks to the rights and freedoms of individuals of the proposed processing. A DPIA is not required in all cases, but guidance is that, where it is determined a DPIA is not required, there must be evidence that it was considered and ruled out. Many organisations have decided to go over and above the legislative requirements and complete a risk assessment whenever personal data is being processed.

Although the DPIA requirement is a duty of Controllers, where providing a service or product often a Processor will choose to produce a DPIA to assure their customers of the effectiveness of their controls.

Kaleidoscope has extensive experience advising on when a DPIA is required and have developed tools to collect information to help analyse and evaluate risks. Kaleidoscope may identify areas that need attention, especially where there is a high residual risk, and we can make recommendations for mitigation.