Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business uses personal data (and most do), you’ve probably heard you may need a DPIA at some point. The tricky part is working out when a DPIA is required under the UK GDPR - especially when you’re moving fast, adopting new tools, or scaling your operations.
A Data Protection Impact Assessment (DPIA) isn’t just paperwork for the sake of it. Done properly, it’s a practical risk-check that helps you avoid the kinds of mistakes that can lead to regulatory action, customer complaints, and expensive operational changes later.
In this guide, we’ll break down when you need a DPIA, what “high risk” actually means in the real world, and how to run a DPIA in a way that’s workable for small businesses.
What Is A DPIA (And Why Should Small Businesses Care)?
A Data Protection Impact Assessment (DPIA) is a structured process for identifying and reducing data protection risks in a project.
Under the UK GDPR (and supported by the Data Protection Act 2018), you’re expected to think about privacy risks before you launch something that involves personal data - not after a complaint lands in your inbox.
For small businesses, the biggest value of a DPIA is that it forces you to answer practical questions early, such as:
- What personal data are we collecting, and why?
- Do we really need all of it?
- Who will have access to it (internally and externally)?
- How long will we keep it?
- What could go wrong, and how do we reduce the risk?
A DPIA often sits alongside your wider GDPR compliance work, like having a clear Privacy Policy and ensuring suppliers are contractually locked in via a Data Processing Agreement where appropriate.
When Is A DPIA Required Under UK GDPR?
The key rule is simple (even if applying it isn’t): you must do a DPIA where a type of processing is likely to result in a high risk to people’s rights and freedoms.
So if you’re asking “when is a DPIA required?”, what you’re really asking is:
“Is what we’re planning likely to create a high privacy risk for individuals?”
UK GDPR doesn’t give one neat list of every scenario. Instead, it sets out categories of processing where DPIAs are typically required, and the UK’s regulator (the ICO) provides guidance and examples.
As a practical checklist, a DPIA is usually required if your project involves one or more of the following:
- New technology (especially where it changes expectations around privacy)
- Large-scale processing of personal data
- Profiling or automated decision-making that significantly affects people
- Systematic monitoring of individuals
- Special category data (eg health information) or criminal offence data
- Combining datasets in ways individuals wouldn’t reasonably expect
- Processing that could cause harm if mishandled (financial, reputational, physical, discrimination, loss of confidentiality)
Importantly, a DPIA isn’t only for “big tech” or huge organisations. Small businesses often trigger DPIA requirements when they start using monitoring tools, introduce biometrics, or roll out data-heavy marketing systems.
What Counts As “High Risk” Processing? (Practical Examples)
“High risk” is about impact on individuals - not just how risky something feels to your business.
To make it real, here are common small business scenarios where a DPIA may be required (or at least strongly recommended).
1) Monitoring Staff Or Visitors
If you’re introducing CCTV, tracking tools, keystroke monitoring, productivity software, or location tracking, that can amount to systematic monitoring - particularly if it’s continuous or hard to avoid.
For example:
- Installing CCTV across your premises (especially in staff-only areas).
- Adding camera systems with audio capture (audio significantly increases privacy impact).
- Rolling out software that monitors employee activity on work devices.
This is where it’s wise to align your DPIA with internal policies (and make sure your team understands what’s happening and why). Depending on the scenario, it may also connect with your Acceptable Use Policy, and you may want to check your approach against the legal and privacy issues around workplace monitoring (including whether monitoring employees’ computers is being done lawfully and transparently).
2) Using Biometrics (Fingerprint, Face Recognition, Voiceprints)
Biometric data used for identification is generally treated as special category data under UK GDPR. Because the risks can be inherently high (you can’t “reset” someone’s fingerprint like a password), a DPIA is often appropriate, and may be required depending on the context, scale, and safeguards.
A common example is introducing fingerprint clock-in systems for staff. That often needs a careful look at whether biometrics are truly necessary, whether there’s a less intrusive option, and how you’ll manage consent (and alternatives if consent isn’t valid or freely given in an employment context).
3) Handling Health Or Medical Data
Small businesses can fall into “high risk” without realising it when they process health data - for example:
- Collecting staff medical details for occupational health or sickness management.
- Running a health, wellness, or fitness service where clients share medical history.
- Recording accessibility needs for events or services.
Where health data is involved, you should consider whether you have the right lawful basis, an additional special category condition, and appropriate security and access controls.
4) Automated Decision-Making Or Profiling
If you’re using algorithms to make decisions about people in a way that has a significant effect, this can trigger DPIA requirements.
Examples include:
- Auto-rejecting job applicants based on scoring.
- Creditworthiness scoring for “buy now pay later” style offerings.
- Profiling customer behaviour to make decisions that materially affect pricing, access, or eligibility.
Even if you’re using “off the shelf” software, you’re still responsible for the processing you decide to carry out.
5) Large-Scale Customer Data Or Tracking
You might be a small business but still process data at scale - for example, an eCommerce business with thousands of customers and behavioural tracking.
If you’re combining:
- customer purchase history,
- website behaviour,
- email engagement, and
- third-party advertising identifiers,
…that can increase risk, particularly if it becomes unexpected or intrusive for the individual.
How To Decide If Your Business Needs A DPIA (A Step-By-Step Test)
If you’re still unsure when a DPIA is required, here’s a practical way to approach it.
Step 1: Describe The Processing Clearly
Start with the basics:
- What are you doing with personal data?
- Whose data is it (customers, staff, suppliers, children)?
- What data types are involved?
- Why are you doing it?
- Is it new, or a significant change to an existing process?
If you can’t describe the processing simply, that’s often a sign you need to slow down and assess it more formally.
Step 2: Check Whether It Falls Into “Likely High Risk” Categories
Ask yourself:
- Are we doing any systematic monitoring?
- Are we using new technology in a way people wouldn’t expect?
- Are we processing special category data (health, biometrics, etc)?
- Are we making automated decisions that significantly affect people?
- Could something go wrong that causes serious harm (financial loss, discrimination, distress, exposure of sensitive data)?
If the answer is “yes” to any of these, a DPIA is usually a smart move - and may be mandatory.
Step 3: Consider Context And Vulnerability
Risk is higher when:
- people are less able to control or avoid the processing (eg employees, tenants, children),
- there is a power imbalance (eg employer/employee),
- data subjects would be surprised by the processing,
- there’s a risk of function creep (using data for more purposes over time).
For example, if you’re thinking about rolling out new AI tools internally, you may also want to think carefully about confidentiality and personal data in AI prompts - and whether you need a clear internal policy before staff begin using it with real-world information (this often comes up in discussions about data privacy and confidentiality when businesses use AI tools such as ChatGPT: is ChatGPT confidential?).
Step 4: Decide And Record Your Reasoning
Even if you decide a DPIA isn’t required, it’s good practice to document why. If the ICO ever asks questions later, being able to show your decision-making process can make a real difference.
How To Run A DPIA Properly (Without Making It A Bureaucratic Nightmare)
A DPIA should be practical. The goal is to identify risks and reduce them - not create a document that never gets read again.
Most DPIAs follow a similar structure:
1) Map The Data Flow
Write down what data comes in, where it’s stored, who accesses it, who it’s shared with, and when it’s deleted. This is also a good time to check whether your contracts with suppliers are up to scratch (particularly if a supplier is processing personal data for you, which is where a Data Processing Agreement becomes important).
2) Confirm Your Lawful Basis (And Any Special Category Conditions)
You’ll need to identify the lawful basis under UK GDPR (eg contract, legitimate interests, legal obligation). If you’re dealing with special category data, you’ll also need an additional condition.
This is one of the points where getting tailored advice can be valuable - because the “right” basis depends heavily on your purpose and your relationship with the person.
3) Identify Key Privacy Risks
Think in terms of what could happen to an individual if something goes wrong. Common risk areas include:
- unauthorised access to personal data (internal or external),
- excessive data collection,
- unclear notices or lack of transparency,
- lack of meaningful choice or control,
- inaccurate data leading to unfair outcomes,
- data being kept too long.
4) Put Mitigations In Place
This is where the DPIA becomes genuinely useful. Mitigations might include:
- data minimisation (collect less),
- shorter retention periods,
- pseudonymisation or encryption,
- access controls and audit logs,
- clear privacy notices and internal training,
- human review for automated decisions,
- opt-outs where appropriate.
It also helps to link your DPIA outcomes into your operational planning - for instance, updating internal policies, improving contracts, and making sure you have a plan if something goes wrong (many businesses keep a Data Breach Response Plan ready so they’re not scrambling during an incident).
5) Record The Outcome And Keep It Under Review
A DPIA shouldn’t be “one and done”. If you change the processing (new supplier, new features, broader data collection), revisit it.
As a rule of thumb: if your project evolves, your DPIA should evolve too.
Common DPIA Mistakes (And How To Avoid Them)
Most DPIA issues we see aren’t about bad intentions - they happen because businesses are busy and privacy gets bolted on late.
Here are some common pitfalls to watch out for:
Doing The DPIA After Launch
UK GDPR expects DPIAs to happen before risky processing begins. If you do it afterwards, you lose most of the risk-reduction benefit (and it looks reactive if a complaint arises).
Treating It Like A Template Exercise
Templates can help structure your thinking, but a DPIA has to reflect your real processing, systems, and risks. A generic DPIA that doesn’t match reality won’t protect you.
Forgetting Third-Party Suppliers
If you use cloud software, marketing platforms, HR systems, or CCTV providers, you’ll often have data sharing and processor relationships to manage. Make sure the commercial and privacy parts line up - and if someone is processing personal data on your behalf, the contract position matters.
Not Thinking About Staff Privacy In Internal Projects
Small businesses sometimes focus only on customer data, but employee monitoring and internal surveillance can carry just as much (or more) risk. Even seemingly straightforward choices like workplace cameras can raise legal and privacy issues - including whether cameras are legal in the workplace in your specific setup.
Not Updating Privacy Notices Or Internal Policies
If your DPIA identifies new processing, make sure you communicate it appropriately. That might mean updating your Privacy Policy, staff notices, and internal policies.
Missing The “Residual High Risk” Step
If you identify a high risk that you can’t adequately reduce, you may need to consult the ICO before you proceed. This is a serious step, but it’s part of UK GDPR’s approach to preventing harm.
Key Takeaways
- A DPIA is required under UK GDPR when your processing is likely to result in a high risk to individuals’ rights and freedoms.
- Common triggers include systematic monitoring, using new technologies, large-scale processing, profiling, and handling special category data like health or biometrics.
- If you’re unsure when a DPIA is required, use a practical test: describe the processing, check for high-risk categories, assess context and vulnerability, and record your reasoning.
- A good DPIA isn’t just a form - it should lead to real mitigations like collecting less data, tightening access controls, improving transparency, and reviewing supplier arrangements.
- Don’t leave DPIAs until after launch; doing them early helps you build privacy into your operations and avoid costly fixes later.
This article is general information only and does not constitute legal advice.
If you’d like help working out whether your project needs a DPIA, or you want support getting your GDPR documents and contracts in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
