Data protection impact assessments

<!doctype html>    <html lang="en">  <head prefix="og: http://ogp.me/ns#"><script type="text/javascript" src="https://web-static.archive.org/_static/js/bundle-playback.js?v=7YQSqjSh" charset="utf-8"></script> <script type="text/javascript" src="https://web-static.archive.org/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="https://web-static.archive.org/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("http://web.archive.org/web"); __wm.wombat("https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/","20240516111148","http://web.archive.org/","web","https://web-static.archive.org/_static/", "1715857908"); </script> <link rel="stylesheet" type="text/css" href="https://web-static.archive.org/_static/css/banner-styles.css?v=p7PEIJWi" /> <link rel="stylesheet" type="text/css" href="https://web-static.archive.org/_static/css/iconochive.css?v=3PDvdIFv" />  <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="initial-scale=1.0, width=device-width"> <title>Data protection impact assessments | ICO</title>   <meta name="DC.Subject" content=""/> <meta name="DC.Date" content="Friday, May 19, 2023"/> <meta name="DC.Creator" content=""/> <meta name="DC.Publisher" content="ICO"/> <meta name="DC.Title" content="Data protection impact assessments"/> <meta name="DC.PageID" content="58178"/>  <meta name="robots" content="index"/>   <meta property="og:title" content="Data protection impact assessments"/> <meta property="og:type" content="website"/> <meta property="og:url" content="http://web.archive.org/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/"/> <meta property="og:description" content=""/> <meta property="og:image" content="/web/20240516111148im_/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/"/> <meta name="twitter:title" content="Data protection impact assessments"/> <meta name="twitter:description" content=""/>  <link rel="shortcut icon" type="image/x-icon" href="/web/20240516111148im_/https://ico.org.uk/favicon.ico"/> <link href="/web/20240516111148cs_/https://ico.org.uk/cassette.axd/stylesheet/c29a030e3f8e5c51bbd193f893ac16e6d4a936d0/css" type="text/css" rel="stylesheet"/>   <script type="text/javascript"> !function(T,l,y){var S=T.location,k="script",D="instrumentationKey",C="ingestionendpoint",I="disableExceptionTracking",E="ai.device.",b="toLowerCase",w="crossOrigin",N="POST",e="appInsightsSDK",t=y.name||"appInsights";(y.name||T[e])&&(T[e]=t);var n=T[t]||function(d){var g=!1,f=!1,m={initialize:!0,queue:[],sv:"5",version:2,config:d};function v(e,t){var n={},a="Browser";return n[E+"id"]=a[b](),n[E+"type"]=a,n["ai.operation.name"]=S&&S.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(m.sv||m.version),{time:function(){var e=new Date;function t(e){var t=""+e;return 1===t.length&&(t="0"+t),t}return e.getUTCFullYear()+"-"+t(1+e.getUTCMonth())+"-"+t(e.getUTCDate())+"T"+t(e.getUTCHours())+":"+t(e.getUTCMinutes())+":"+t(e.getUTCSeconds())+"."+((e.getUTCMilliseconds()/1e3).toFixed(3)+"").slice(2,5)+"Z"}(),iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}}}}var h=d.url||y.src;if(h){function a(e){var t,n,a,i,r,o,s,c,u,p,l;g=!0,m.queue=[],f||(f=!0,t=h,s=function(){var e={},t=d.connectionString;if(t)for(var n=t.split(";"),a=0;a<n.length;a++){var i=n[a].split("=");2===i.length&&(e[i[0][b]()]=i[1])}if(!e[C]){var r=e.endpointsuffix,o=r?e.location:null;e[C]="https://"+(o?o+".":"")+"dc."+(r||"services.visualstudio.com")}return e}(),c=s[D]||d[D]||"",u=s[C],p=u?u+"/v2/track":d.endpointUrl,(l=[]).push((n="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",a=t,i=p,(o=(r=v(c,"Exception")).data).baseType="ExceptionData",o.baseData.exceptions=[{typeName:"SDKLoadFailed",message:n.replace(/\./g,"-"),hasFullStack:!1,stack:n+"\nSnippet failed to load ["+a+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(S&&S.pathname||"_unknown_")+"\nEndpoint: "+i,parsedStack:[]}],r)),l.push(function(e,t,n,a){var i=v(c,"Message"),r=i.data;r.baseType="MessageData";var o=r.baseData;return o.message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+n+")").replace(/\"/g,"")+'"',o.properties={endpoint:a},i}(0,0,t,p)),function(e,t){if(JSON){var n=T.fetch;if(n&&!y.useXhr)n(t,{method:N,body:JSON.stringify(e),mode:"cors"});else if(XMLHttpRequest){var a=new XMLHttpRequest;a.open(N,t),a.setRequestHeader("Content-type","application/json"),a.send(JSON.stringify(e))}}}(l,p))}function i(e,t){f||setTimeout(function(){!t&&m.core||a()},500)}var e=function(){var n=l.createElement(k);n.src=h;var e=y[w];return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=i,n.onerror=a,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||i(0,t)},n}();y.ld<0?l.getElementsByTagName("head")[0].appendChild(e):setTimeout(function(){l.getElementsByTagName(k)[0].parentNode.appendChild(e)},y.ld||0)}try{m.cookie=l.cookie}catch(p){}function t(e){for(;e.length;)!function(t){m[t]=function(){var e=arguments;g||m.queue.push(function(){m[t].apply(m,e)})}}(e.pop())}var n="track",r="TrackPage",o="TrackEvent";t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+r,"stop"+r,"start"+o,"stop"+o,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),m.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4};var s=(d.extensionConfig||{}).ApplicationInsightsAnalytics||{};if(!0!==d[I]&&!0!==s[I]){var c="onerror";t(["_"+c]);var u=T[c];T[c]=function(e,t,n,a,i){var r=u&&u(e,t,n,a,i);return!0!==r&&m["_"+c]({message:e,url:t,lineNumber:n,columnNumber:a,error:i}),r},d.autoExceptionInstrumented=!0}return m}(y.cfg);function a(){y.onInit&&y.onInit(n)}(T[t]=n).queue&&0===n.queue.length?(n.queue.push(a),n.trackPageView({})):a()}(window,document,{ src: "http://web.archive.org/web/20240516111148/https://js.monitor.azure.com/scripts/b/ai.2.min.js", crossOrigin: "anonymous", cfg: { instrumentationKey: "1d8b12b7-5ec8-4f8a-ad58-d9c6836b2133", disableCookiesUsage: true }}); </script> <script src="/web/20240516111148js_/https://ico.org.uk/cassette.axd/script/5ee23aacdf970dd872941ccf4f703a43bccb2949/scripts/responsive-nav.min.js" type="text/javascript"></script> <script src="/web/20240516111148js_/https://ico.org.uk/cassette.axd/script/e959342b74f6ed9b82c2aa42af0bcf7fd59f2d10/scripts/lib" type="text/javascript"></script>    </head> <body id="top" class=""> <a class="link-skiptocontent invisible" href="#startcontent">Skip to main content <span class="icon-arrow-down"></span></a> <header class="header-banner"> <div class="container-header"> <div class="container row"> <div class="column column-3 siteheader-logo"> <a href="/web/20240516111148/https://ico.org.uk/"><span class="invisible">ICO: Information Commissioner's Office</span></a> </div> <div class="column column-6 siteheader-strapline h4"> <div class="siteheader-strapline-inner"> <p>The ICO exists to empower you through information.</p> </div> </div> <a href="" class="button-icon" id="toggle-siteheader-search"><span class="icon-search"></span><span class="invisible">Search</span><span class="icon-close"></span></a> <form action="http://web.archive.org/web/20240516111148/https://icosearch.ico.org.uk/s/search.html" method="GET" class="column column-3" id="siteheader-search"> <fieldset> <legend class="invisible">Search</legend> <div class="siteheader-search-form"> <label for="search" class="invisible">Search</label> <input type="search" id="search" name="query"> <input type="hidden" name="collection" value="ico-meta"/> <input type="hidden" name="profile" value="_default"/> <span class="button-icon icon-search"></span> <input type="submit" value="Search"> </div> </fieldset> </form> </div> </div> <div class="container-navigation"> <div class="container row"> <nav class="column column-12" aria-label="Main menu"> <ul> <li class="h3 theme-home"> <a href="/web/20240516111148/https://ico.org.uk/">Home<span class="icon-arrow-right"></span></a> </li> <li class="h3 theme-public"> <a href="/web/20240516111148/https://ico.org.uk/for-the-public/">For the public<span class="icon-arrow-right"></span></a> </li> <li class="h3 theme-organisations"> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/" class="current">For organisations<span class="icon-arrow-right"></span></a> </li> <li class="h3 theme-report"> <a href="/web/20240516111148/https://ico.org.uk/make-a-complaint/">Make a complaint<span class="icon-arrow-right"></span></a> </li> <li class="h3 theme-action"> <a href="/web/20240516111148/https://ico.org.uk/action-weve-taken/">Action we've taken<span class="icon-arrow-right"></span></a> </li> <li class="h3 theme-about"> <a href="/web/20240516111148/https://ico.org.uk/about-the-ico/">About the ICO<span class="icon-arrow-right"></span></a> </li> </ul> </nav> </div> </div> </header> <main class="theme-organisations" id="startcontent"> <article class="container"> <header class="pageheader"> <div class="downloadandShare"> <div class="row"> <div class="column column-8"> <nav aria-label="breadcrumb" class="pageheader-breadcrumb text-small clearfix"> <ol> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/">For organisations</a><span>/</span> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/">UK GDPR guidance and resources</a><span>/</span> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/">Accountability and governance</a><span>/</span> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/">Guide to accountability and governance</a><span>/</span> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/">Accountability and governance</a><span>/</span> </li> <li> <span class="current" aria-current="page" aria-label="Current page"> Data protection impact assessments </span> </li> </ol> </nav> <h1 id="multipage-heading">Data protection impact assessments</h1> <div id="multipage-snippet"> </div> </div> <div class="pageheader-download column column-4 column-indent-1"> <a href="#" id="toggle-hiddenpanel-headershare"><span class="h4">Share<span class="invisible">(Opens Share panel)</span></span><span class="button-circle"><span class="icon-share"></span></span></a> <a href="#" id="toggle-hiddenpanel-download"><span class="h4">Download options<span class="invisible">(Opens download panel)</span></span><span class="button-circle"><span class="icon-download"></span></span></a> </div> </div> <div class="hiddenpanel clearfix toggle-right" id="hiddenpanel-headershare" aria-label="panel share" style="display: none;"> <h2 class="h4">Share this page</h2> <ul class="clearfix"> <li> <a href="http://web.archive.org/web/20240516111148/http://www.reddit.com/submit?url=https:%2f%2fico.org.uk%2ffor-organisations%2fuk-gdpr-guidance-and-resources%2faccountability-and-governance%2fguide-to-accountability-and-governance%2faccountability-and-governance%2fdata-protection-impact-assessments%2f" target="_blank" class="button-circle"> <span class="icon-reddit"></span> <span class="invisible">Share via Reddit</span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/https://www.linkedin.com/shareArticle?mini=true&title=Data+protection+impact+assessments&url=https:%2f%2fico.org.uk%2ffor-organisations%2fuk-gdpr-guidance-and-resources%2faccountability-and-governance%2fguide-to-accountability-and-governance%2faccountability-and-governance%2fdata-protection-impact-assessments%2f&source=Ico.org.uk" target="_blank" class="button-circle"> <span class="icon-linkedin"></span> <span class="invisible">Share via LinkedIn</span> </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/cdn-cgi/l/email-protection#6b5409040f1256031f1f1b18514e590d4e590d0208044504190c451e004e590d0d04194604190c0a0502180a1f020405184e590d1e00460c0f1b19460c1e020f0a05080e460a050f46190e18041e19080e184e590d0a0808041e051f0a090207021f12460a050f460c041d0e19050a05080e4e590d0c1e020f0e461f04460a0808041e051f0a090207021f12460a050f460c041d0e19050a05080e4e590d0a0808041e051f0a090207021f12460a050f460c041d0e19050a05080e4e590d0f0a1f0a461b19041f0e081f0204054602061b0a081f460a18180e1818060e051f184e590d" target="_blank" class="button-circle"> <span class="icon-envelope"></span> <span class="invisible">Share via email</span> </a> </li> </ul> </div> <div class="hiddenpanel hiddenpanel-options clearfix" id="hiddenpanel-download"> <form method="post" action="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/" target="_blank"> <fieldset> <legend class="invisible">Download options</legend> <div class="hiddenpanel-options-row"> <h2 class="h4">Pages</h2> <ul class="form-checkbox-list form-checkbox-list-buttons clearfix"> <li><input type="radio" name="pages" id="pages-all" value="all" checked><label for="pages-all"><span class="icon-files"></span> All pages</label></li> <li><input type="radio" name="pages" id="pages-this" value="this"><label for="pages-this"><span class="icon-file"></span> This page</label></li> </ul> </div> <div class="hiddenpanel-options-row"> <h2 class="h4">Format</h2> <ul class="form-checkbox-list form-checkbox-list-buttons clearfix"> <li> <input type="radio" name="format" id="format-pdf" value="pdf" checked="checked"> <label for="format-pdf"><span class="icon-file-pdf"></span> PDF</label> </li> </ul> </div> <button class="button">Download <span class="icon-download"></span></button> </fieldset> </form> </div> </div> </header> <div class="row"> <aside class="toc toc-multipage column column-3" aria-label="Search for documents filter"> <nav aria-label="Filtered Documents"> <form method="GET" class="toc-search"> <p> <label for="toc-search" class="invisible">Search article</label> <input type="search" id="toc-search" name="q" placeholder="Search this document"> <span class="button-icon icon-search" id="toc-search-button-icon"></span> <span class="button-icon icon-search icon-spinner animate-spin" id="toc-search-progress-icon" style="display: none;"> </span> <input type="submit" id="toc-search-button" value="Search"/> <span class="invisible" role="status" id="toc-search-status"></span> </p> </form> <ul> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/" class=""> Accountability and governance </a> <ul> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/contracts/" class=""> Contracts </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/documentation/" class=""> Documentation </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-by-design-and-default/" class=""> Data protection by design and default </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/" class="current"> Data protection impact assessments </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-officers/" class=""> Data protection officers </a> </li> </ul> </li> </ul> </nav> </aside> <div class="maincolumn column column-8 column-indent-1"> <div class="article-content"> <div class="amberBlock"> <p>The Brexit transition period ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. If you transfer or receive data from overseas please visit our <a data-udi="umb://document/e62057d7a6f74b3e8b6cd8807e9f94fd" href="/web/20240516111148/https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/" title="International transfers after the UK exit from the EU Implementation Period">End of Transition</a> and <a data-udi="umb://document/e62057d7a6f74b3e8b6cd8807e9f94fd" href="/web/20240516111148/https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/" title="International transfers after the UK exit from the EU Implementation Period">International Transfers</a> pages. You should make sure you can identify any data you collected before the end of 2020 about people outside the UK, for further information, see our Q&A on Legacy Data.</p> <p>On 01 January, there will not be any significant change to the UK data protection regime, or to the criteria that compel DPIAs. This guidance draws on European resources which we still consider to be relevant, and so these resources remain part of our DPIA guidance. </p> <p>We will keep this guidance under review and update it as and when any aspect of your obligations or our approach changes. Please continue to monitor our website for updates.</p> </div> <p> </p> <span id="Details_4a9bbaa5-3a34-4f00-b5cb-604f76ab0e72" style="display: none;" aria-hidden="true">Click to toggle details</span> <details class="ico-details"> <summary class="ico-details__summary" aria-describedby="Details_4a9bbaa5-3a34-4f00-b5cb-604f76ab0e72"> <span class="ico-details__summary-text">Latest updates</span> </summary> <div class="ico-details__text"> <p><strong>19 May 2023</strong> - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.</p> </div> </details> <p> </p> <ul> <li>Click here for a sample <a rel="noopener" data-id="36081" href="/web/20240516111148/https://ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx" target="_blank" class="link-external">DPIA Template<span class="invisible"></span></a></li> <li>Click here to <a href="#dpia5">contact the ICO about your DPIA </a></li> </ul> <h2>At a glance</h2> <ul> <li>A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.</li> <li>You must do a DPIA for processing that is <strong>likely to result in a high risk</strong> to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.</li> <li>It is also good practice to do a DPIA for any other major project which requires the processing of personal data.</li> <li>Your DPIA must: <ul> <li>describe the nature, scope, context and purposes of the processing;</li> <li>assess necessity, proportionality and compliance measures;</li> <li>identify and assess risks to individuals; and</li> <li>identify any additional measures to mitigate those risks.</li> </ul> </li> <li>To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.</li> <li>You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.</li> <li>If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.</li> <li>If you are processing for law-enforcement purposes, you should read this alongside the <a data-id="30941" href="/web/20240516111148/https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/" title="Guide to Law Enforcement Processing (Part 3 of the DP Act 2018)">Guide to Law Enforcement Processing</a>.</li> <li>The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.</li> </ul> <h2><a id="checklists"></a>Checklists</h2> <h3>DPIA awareness checklist</h3> <div class="example example-letter"> <p><span>☐ </span>We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.</p> <p><span>☐ </span>Our existing policies, processes and procedures include references to DPIA requirements.</p> <p><span>☐ </span>We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.</p> <p><span>☐ </span>We have created and documented a DPIA process.</p> <p><span>☐ </span>We provide training for relevant staff on how to carry out a DPIA.</p> </div> <h3>DPIA screening checklist</h3> <div class="example example-letter"> <p><span>☐ We consider carrying out a DPIA in any major project involving the use of personal data.</span></p> <p><span>☐ We consider whether to do a DPIA if we plan to carry out any other:</span></p> <p style="padding-left: 30px;"><span>☐ evaluation or scoring;</span></p> <p style="padding-left: 30px;"><span>☐ automated decision-making with significant effects;</span></p> <p style="padding-left: 30px;"><span>☐ systematic monitoring;</span></p> <p style="padding-left: 30px;"><span>☐ processing of sensitive data or data of a highly personal nature;</span></p> <p style="padding-left: 30px;"><span>☐ processing on a large scale;</span></p> <p style="padding-left: 30px;"><span>☐ processing of data concerning vulnerable data subjects;</span></p> <p style="padding-left: 30px;"><span>☐ innovative technological or organisational solutions;</span></p> <p style="padding-left: 30px;"><span>☐ processing that involves preventing data subjects from exercising a right or using a service or contract</span>.</p> <p><span>☐ We always carry out a DPIA if we plan to</span>:</p> <p style="padding-left: 30px;"><span>☐ use systematic and extensive profiling or automated decision-making to make significant decisions about people;</span></p> <p style="padding-left: 30px;"><span>☐ process special-category data or criminal-offence data on a large scale;</span></p> <p style="padding-left: 30px;"><span>☐ systematically monitor a publicly accessible place on a large scale;</span></p> <p style="padding-left: 30px;"><span>☐<span> use innovative technology in combination with any of the criteria in the European guidelines;</span></span></p> <p style="padding-left: 30px;"><span>☐ use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;</span></p> <p style="padding-left: 30px;"><span>☐<span> carry out profiling on a large scale</span>;</span></p> <p style="padding-left: 30px;"><span>☐ process biometric or genetic data in combination with any of the criteria in the European guidelines;</span></p> <p style="padding-left: 30px;"><span>☐<span> combine, compare or match data from multiple sources; </span></span></p> <p style="padding-left: 30px;"><span>☐ process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;</span></p> <p style="padding-left: 30px;"><span>☐<span> process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines</span>;</span></p> <p style="padding-left: 30px;"><span>☐<span> process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;</span></span></p> <p style="padding-left: 30px;"><span><span>☐<span> process personal data that could result in a risk of physical harm in the event of a security breach.</span></span></span></p> <p><span>☐ We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.</span></p> <p><span>☐ </span>If we decide not to carry out a DPIA, we document our reasons.</p> </div> <h3>DPIA process checklist</h3> <div class="example example-letter"> <p><span>☐ </span>We describe the nature, scope, context and purposes of the processing.</p> <p><span>☐ </span>We ask our data processors to help us understand and document their processing activities and identify any associated risks.</p> <p><span>☐ </span>We consider how best to consult individuals (or their representatives) and other relevant stakeholders.</p> <p><span>☐ </span>We ask for the advice of our data protection officer.</p> <p><span>☐ We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with data protection principles</span>.</p> <p><span>☐ </span>We do an <a data-udi="umb://document/488115f71a0944788677cc798e04c0c7" href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/how-do-we-do-a-dpia/#how9" title="How do we do a DPIA?" data-anchor="#how9">objective assessment</a> of the likelihood and severity of any risks to individuals’ rights and interests.</p> <p><span>☐ </span>We identify measures we can put in place to eliminate or reduce high risks.</p> <p><span>☐ We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.</span></p> <p><span>☐ </span>We implement the measures we identified, and integrate them into our project plan.</p> <p><span>☐ </span>We consult the ICO before processing, if we cannot mitigate high risks.</p> <p><span>☐ </span>We keep our DPIAs under review and revisit them when necessary.</p> </div> <h3>Have we written a good DPIA?</h3> <p>A good DPIA helps you to evidence that:</p> <ul> <li>you have considered the risks related to your intended processing; and</li> <li>you have met your broader data protection obligations.</li> </ul> <p>This checklist will help ensure you have written a good DPIA.</p> <p>We have:</p> <div class="example example-letter"> <p><span>☐ confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;</span></p> <p><span>☐ explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;</span></p> <p><span>☐ structured the document clearly, systematically and logically;</span></p> <p><span>☐ written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;</span></p> <p><span>☐ set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;</span></p> <p><span>☐ ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;</span></p> <p><span>☐ explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);</span></p> <p><span>☐ explained how we plan to support the relevant information rights of our data subjects;</span></p> <p><span>☐ identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;</span></p> <p><span>☐ explained sufficiently how any proposed mitigation reduces the identified risk in question;</span></p> <p><span>☐ evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them; </span></p> <p><span>☐ given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;</span></p> <p><span>☐ attached any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents;</span></p> <p><span>☐ recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;</span></p> <p><span>☐ agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;</span></p> <p><span>☐ consulted the ICO if there are residual high risks we cannot mitigate<span>.</span></span></p> </div> <h2><span><span>In brief</span></span></h2> <ul> <li><a href="#dpia2">What is a DPIA?</a></li> <li><a href="#dpia3">When do we need a DPIA?</a></li> <li><a href="#dpia4">How do we carry out a DPIA?</a></li> <li><a href="#dpia5">Do we need to consult the ICO?</a></li> <li><a data-id="31822" href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/" title="Data Protection Impact Assessments (DPIAs)">In more detail</a></li> </ul> <h3><a id="dpia2"></a>What is a DPIA?</h3> <p>A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.</p> <p>DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.</p> <p>To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.</p> <p>A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.</p> <p>DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.</p> <p>A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.</p> <p>It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.</p> <h3><a id="dpia3"></a>When do we need a DPIA?</h3> <p>You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.</p> <p>In particular, the UK GDPR says you must do a DPIA if you plan to:</p> <ul> <li>use systematic and extensive profiling with significant effects;</li> <li>process special category or criminal offence data on a large scale; or</li> <li>systematically monitor publicly accessible places on a large scale.</li> </ul> <p>When considering if your processing is likely to result in high risk, you should consider the relevant <a href="http://web.archive.org/web/20240516111148/http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236">European guidelines</a>. These define nine criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, you may consider in your case that just meeting one criterion could require a DPIA.</p> <p>The ICO also requires you to do a DPIA if you plan to:</p> <ul> <li>use innovative technology (in combination with any of the criteria from the European guidelines);</li> <li>use profiling or special category data to decide on access to services;</li> <li>profile individuals on a large scale;</li> <li>process biometric data (in combination with any of the criteria from the European guidelines);</li> <li>process genetic data (in combination with any of the criteria from the European guidelines);</li> <li>match data or combine datasets from different sources;</li> <li>collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines);</li> <li>track individuals’ location or behaviour (in combination with any of the criteria from the European guidelines);</li> <li>profile children or target marketing or online services at them; or</li> <li>process data that might endanger the individual’s physical health or safety in the event of a security breach.</li> </ul> <p>You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.</p> <p>Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data. You can use or adapt the <a href="#checklists">checklists</a> to help you carry out this screening exercise.</p> <h3><a id="dpia4"></a>How do we carry out a DPIA?</h3> <p>A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:</p> <p><img id="__mcenew" src="/web/20240516111148im_/https://ico.org.uk/media/images/graphics/2258436/dpia1.png" alt="" data-id="30760"></p> <p>You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.</p> <p>The process is designed to be flexible and scalable. You can use or adapt our <a rel="noopener" data-id="36081" href="/web/20240516111148/https://ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx" target="_blank" title="DPIA template" class="link-external">sample DPIA template<span class="invisible"></span></a>, or create your own. If you want to create your own, you may want to refer to the European guidelines which set out <a rel="noopener" href="http://web.archive.org/web/20240516111148/https://ec.europa.eu/newsroom/just/redirection/document/47711" target="_blank" title="Guidelines on Data Protection Impact Assessment (DPIA)" class="link-external">Criteria for an acceptable DPIA<span class="invisible"></span></a></p> <p>Although publishing a DPIA is not a requirement of UK GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your DPIAs, where possible, removing sensitive details if necessary.</p> <h3><a id="dpia5"></a>Do we need to consult the ICO?</h3> <p>You don’t need to send every DPIA to the ICO and we expect the percentage sent to us to be small. But you must consult the ICO if your DPIA identifies a high risk and you cannot take measures to reduce that risk. You cannot begin the processing until you have consulted us.</p> <p>If you want your project to proceed effectively then investing time in producing a comprehensive DPIA may prevent any delays later, if you have to consult with the ICO.</p> <p>You need to <a href="/web/20240516111148/https://ico.org.uk/cdn-cgi/l/email-protection#8ce8fce5edefe3e2fff9e0f8edf8e5e3e2cce5efe3a2e3feeba2f9e7">send us</a> a copy of your DPIA.</p> <p>Once we have the information we need, we will generally respond within eight weeks (although we can extend this by a further six weeks in complex cases).</p> <p>We will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases we may advise you not to carry out the processing because we consider it would be in breach of the GDPR. In appropriate cases we may issue a formal warning or take action to ban the processing altogether.</p> </div> <aside class="aside-further" aria-label="Document menu"> <h2 class="offscreen">Further Reading</h2> <ul> <li> <a href="http://web.archive.org/web/20240516111148/https://www.legislation.gov.uk/eur/2016/679/contents" target="_blank"> <h3 class="h4 link-external">Relevant provisions in the UK GDPR - See Articles 35 and 36 and Recitals 74-77, 84, 89-92, 94 and 95<span class="invisible"></span></h3> <div class="text-small"> <p>External link</p> </div> <span class="icon-external-link"></span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/https://www.gov.uk/government/publications/data-protection-impact-assessments-for-surveillance-cameras" target="_blank"> <h3 class="h4 link-external">Joint Surveillance Camera Commissioner /ICO guidance on Data protection impact assessments for surveillance camera systems<span class="invisible"></span></h3> <div class="text-small"> <p>External link</p> </div> <span class="icon-external-link"></span> </a> </li> </ul> </aside> <div class="article-content"> <div class="greenBlock"> <p><strong>In more detail – ICO guidance</strong></p> <p>We have published <a data-id="31822" href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/" title="Data Protection Impact Assessments (DPIAs)">more detailed guidance on DPIAs</a>.</p> <p>The <a data-id="43208" href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/risks-and-data-protection-impact-assessments-dpias/" title="Risks and data protection impact assessments (DPIAs)">Accountability Framework</a> looks at the ICO’s expectations in relation to DPIAs.</p> </div> <p> </p> <div class="amberBlock"> <p><strong>In more detail – European Data Protection Board </strong></p> <ul> <li>WP29 produced <a href="http://web.archive.org/web/20240516111148/https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236">guidelines on data protection impact assessments</a>, which have been endorsed by the EDPB.</li> <li>Other relevant guidelines include:</li> <li><a href="http://web.archive.org/web/20240516111148/http://ec.europa.eu/newsroom/document.cfm?doc_id=44100">Guidelines on Data Protection Officers (‘DPOs’) (WP243)</a></li> <li><a href="http://web.archive.org/web/20240516111148/http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826">Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 (WP251)</a></li> </ul> </div> </div> <nav class="article-navigation" aria-label="article"> <a href="#top" class="button-circle" title="Back to top" id="button-top"><span class="icon-arrow-up"></span><span class="invisible">Back to top</span></a> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-by-design-and-default/" class="button button-icon-left button-previous"><span class="icon-arrow-left"></span> Previous</a> <a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-officers/" class="button button-next button-right">Next <span class="icon-arrow-right"></span></a> </nav> </div> </div> </article> </main> <footer> <div class="footer-sociallinks container row"> <div class="footer-sociallinks-links footer-sociallinks-links--left column column-2"> <ul class=""> <li> <a href="#" class="button-circle" id="toggle-hiddenpanel-share"> <span class="icon-share"></span> <span class="invisible">Share this page</span> </a> </li> <li> <a href="javascript:window.print()" class="button-circle" data-item="Print"> <span class="icon-print"></span> <span class="invisible">Print this page</span> </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/global/rss-feeds/" class="button-circle" data-item="RSS"> <span class="icon-feed"></span> <span class="invisible">RSS feeds</span> </a> </li> </ul> </div> <div class="footer-sociallinks-language column column-2 language-dropdown-container"> <div class="language-dropdown-tab-controls dropdown"> <a href="#" class="visible-xs mobile-tabcontrol" title="Language Selector" aria-haspopup="true" aria-expanded="false" data-target="[langSelector__nav]"> <ul class="globe-list"> <li class="button-circle globe" title="Language"> <span class="icon-globe"></span></li> </ul> <span class="dropdown-label">English</span> <span class="chevron down"></span> </a> <ul class="nav nav-tabs" data-name="langSelector__nav"> <li class="tab active"> <a rel="nofollow" href="http://web.archive.org/web/20240516111148/https://ico.org.uk/" name="English" class="content language-item">English</a> </li> <li class="tab"> <a rel="nofollow" href="http://web.archive.org/web/20240516111148/https://cy.ico.org.uk/" name="Welsh" class="content language-item">Cymraeg</a> </li> </ul> </div> </div> <div class="footer-sociallinks-links footer-sociallinks-links--right column column-4"> <ul class="clearfix"> <li> <a href="http://web.archive.org/web/20240516111148/https://twitter.com/iconews" target="_blank" class="button-circle" data-item="Follow us on Twitter"> <span class="icon-twitter"></span> <span class="invisible">Follow us on Twitter</span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/http://facebook.com/ICOnews" target="_blank" class="button-circle" data-item="Like us on Facebook"> <span class="icon-facebook"></span> <span class="invisible">Like us on Facebook</span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/http://linkedin.com/company/information-commissioner's-office" target="_blank" class="button-circle" data-item="Connect with us on Linkedin"> <span class="icon-linkedin"></span> <span class="invisible">Connect with us on Linkedin</span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/http://www.youtube.com/user/icocomms" target="_blank" class="button-circle" data-item="Watch us on YouTube"> <span class="icon-youtube"></span> <span class="invisible">Watch us on YouTube</span> </a> </li> </ul> </div> <div class="hiddenpanel clearfix" id="hiddenpanel-share"> <h2 class="h4">Share this page</h2> <ul class="clearfix"> <li> <a href="http://web.archive.org/web/20240516111148/http://www.reddit.com/submit?url=https:%2f%2fico.org.uk%2fabout-the-ico%2fmedia-centre%2fnews-and-blogs%2f" target="_blank" class="button-circle"> <span class="icon-reddit"></span> <span class="invisible">Share via Reddit</span> </a> </li> <li> <a href="http://web.archive.org/web/20240516111148/https://www.linkedin.com/shareArticle?mini=true&title=News%2c+blogs+and+speeches&url=https:%2f%2fico.org.uk%2fabout-the-ico%2fmedia-centre%2fnews-and-blogs%2f&source=Ico.org.uk" target="_blank" class="button-circle"> <span class="icon-linkedin"></span> <span class="invisible">Share via LinkedIn</span> </a> </li> <li> <a href="/web/20240516111148/https://ico.org.uk/cdn-cgi/l/email-protection#dae5b8b5bea3e7b2aeaeaaa9e0ffe8bcffe8bcb3b9b5f4b5a8bdf4afb1ffe8bcbbb8b5afaef7aeb2bff7b3b9b5ffe8bcb7bfbeb3bbf7b9bfb4aea8bfffe8bcb4bfada9f7bbb4bef7b8b6b5bda9ffe8bc" target="_blank" class="button-circle"> <span class="icon-envelope"></span> <span class="invisible">Share via email</span> </a> </li> </ul> </div> <a href="/web/20240516111148/https://ico.org.uk/about-the-ico/media-centre/e-newsletter/" class="footer-sociallinks-newsletter"> <span class="h4">Subscribe to our e-newsletter</span> <span class="button-circle"> <span class="icon-envelope"></span> </span> </a> <div class="footer-sociallinks-language--mobile language-dropdown-container"> <div class="language-dropdown-tab-controls dropdown"> <a href="#" class="visible-xs mobile-tabcontrol" title="Language Selector" aria-haspopup="true" aria-expanded="false" data-target="[langSelector__nav--mobile]"> <ul class="globe-list"> <li class="button-circle globe" title="Language"><span class="icon-globe"></span></li> </ul> <span class="dropdown-label">English</span> <span class="chevron down"></span> </a> <ul class="nav nav-tabs" data-name="langSelector__nav--mobile"> <li class="tab active"> <a rel="nofollow" href="http://web.archive.org/web/20240516111148/https://ico.org.uk/" name="English" class="content language-item">English</a> </li> <li class="tab"> <a rel="nofollow" href="http://web.archive.org/web/20240516111148/https://cy.ico.org.uk/" name="Welsh" class="content language-item">Cymraeg</a> </li> </ul> </div> </div> </div> <div class="container-sitemap"> <div class="container row"> <div class="column column-2"> <a href="/web/20240516111148/https://ico.org.uk/" class="footer-sitemap-logo"><span class="invisible">ICO: Information Commissioner's Office</span></a> </div> <div class="column column-2"> <h2 class="h4"><a href="/web/20240516111148/https://ico.org.uk/for-the-public/">Your data matters</a></h2> <ul class="text-small"> <li><a href="/web/20240516111148/https://ico.org.uk/for-the-public/official-information/">Official information</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/for-the-public/nuisance-calls/">Nuisance calls</a></li> </ul> </div> <div class="column column-2"> <h2 class="h4"><a href="/web/20240516111148/https://ico.org.uk/for-organisations/">For organisations</a></h2> <ul class="text-small"> <li><a href="/web/20240516111148/https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/">UK GDPR guidance and resources</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/for-organisations/foi/">Freedom of information</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/for-organisations/eir-and-access-to-information/">EIR and access to information</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/">Direct marketing</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/for-organisations/advice-and-services/">Advice and services</a></li> </ul> </div> <div class="column column-2"> <h2 class="h4"><a href="/web/20240516111148/https://ico.org.uk/action-weve-taken/">Action we've taken</a></h2> <ul class="text-small"> <li><a href="/web/20240516111148/https://ico.org.uk/action-weve-taken/enforcement/">Enforcement action</a></li> <li><a href="http://web.archive.org/web/20240516111148/https://icosearch.ico.org.uk/s/search.html?collection=ico-meta&profile=decisions&query">Decision notices</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/action-weve-taken/audits-and-overview-reports/">Audits</a></li> </ul> </div> <div class="column column-2"> <h2 class="h4"><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/">About the ICO</a></h2> <ul class="text-small"> <li><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/who-we-are/">Who we are</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/what-we-do/">What we do</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/media-centre/">Media centre</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/jobs/">Careers</a></li> <li><a href="/web/20240516111148/https://ico.org.uk/about-the-ico/modern-slavery-statement/">Modern Slavery Statement</a></li> </ul> </div> </div> </div> <div class="container-strapline"> <div class="container row"> <div class="column column-12 h4"> <p>The ICO exists to empower you through information.</p> </div> </div> </div> <div class="container-footerlinks"> <div class="container row"> <div class="column column-12"> <nav aria-label="footer" class="clearfix"> <a href="/web/20240516111148/https://ico.org.uk/global/contact-us/">Contact us</a> <a href="/web/20240516111148/https://ico.org.uk/global/privacy-notice/">Privacy notice</a> <a href="/web/20240516111148/https://ico.org.uk/global/cookies/">Cookies</a> <a href="/web/20240516111148/https://ico.org.uk/global/accessibility/">Accessibility</a> <a href="http://web.archive.org/web/20240516111148/https://ico.org.uk/about-the-ico/who-we-are/wales-office">Cymraeg</a> <a href="/web/20240516111148/https://ico.org.uk/global/request-publications/">Publications</a> <a href="/web/20240516111148/https://ico.org.uk/global/disclaimer/">Disclaimer</a> <a href="/web/20240516111148/https://ico.org.uk/global/copyright-and-re-use-of-materials/">© Copyright</a> </nav> <div class="footerlinks-phone h2"><span class="icon-phone"></span><span class="invisible">Phone:</span> 0303 123 1113</div> <div class="footer-ogl"><span class="invisible">Open Government Licence</span></div> <div class="text-small footer-ogl-info"> All text content is available under the <a href="http://web.archive.org/web/20240516111148/http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/">Open Government Licence v3.0</a>, except where otherwise stated. </div> </div> </div> </div> </footer> <script data-cfasync="false" src="/web/20240516111148js_/https://ico.org.uk/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/html" id="CookieControlConfig"> {"apiKey":"dbf86e044f3ab8c4df852af5c7c6ceb2dd7678dd","product":"PRO","theme":"dark","position":"left","rejectButton":true,"closeStyle":"button","consentCookieExpiry":90,"initialState":"open","statement":{"description":"For more detailed information about the cookies we use, see our","name":"Cookies page.","url":"/global/cookies/","updated":"17/05/2023"},"text":{"notifyTitle":"Our use of cookies","notifyDescription":"We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will only be set if you press accept","accept":"Accept all cookies","reject":"Reject all cookies","settings":"Settings","necessaryTitle":"Necessary cookies","necessaryDescription":"Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.","title":"Our use of cookies","intro":"We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set only if you accept.","acceptRecommended":"Accept all cookies","rejectSettings":"Reject all cookies","closeLabel":"Save and close"},"branding":{"fontFamily":"Verdana, Helvetica, Arial, sans-serif","fontColor":"#FFF","fontSizeTitle":"25px","fontSizeIntro":"15px","fontSizeHeaders":"21px","fontSize":"15px","acceptBackground":"#FFF","backgroundColor":"#0276A5","toggleText":"#FFF","toggleColor":"#0276A5","toggleBackground":"#2F2F5F","removeAbout":true},"necessaryCookies":["rwe*","language","UMB_*","UMB-*","XSRF-*","__RequestVerificationToken"],"optionalCookies":[{"name":"analytics","label":"Analytics cookies","description":"We'd like to collect website analytics information using Silktide to help us improve the website. We collect this data by running Silktide analytics JavaScript on your device, which collects data about how you have interacted with our site. The data is collected in a way that does not directly identify anyone. For more information please see our Cookies page.","cookies":[],"lawfulBasis":"Consent","recommendedState":true,"onAccept":"try {\n ICO.Silktide.enable(\"12d0c703744ea255b679f823daf1645f\");\n} catch (err) {}","onRevoke":"try {\n ICO.Silktide.disable();\n} catch (err) {}"}]} </script> <script src="/web/20240516111148js_/https://ico.org.uk/cassette.axd/script/1f29167faa088c5124984009ad963e616a7ff571/scripts" type="text/javascript"></script>  </body> </html>

CINXE.COM

Data protection impact assessments | ICO