Adopters - Complying with the UK GDPR Steps 1 - 7: an introduction- Step 2: Consider doing a DPIA

Reviewed by: Health and Care IG Panel

Before you start processing health and care data involving the use of new technology, including in the context of deploying a technology in a health or social care setting, you should consider doing a DPIA. This will help you identify and minimise any data protection problems early on, and to fully consider the risks to patients and service users. It will also help you build public trust because it will help you consider how to make your data processing transparent (such as through creating privacy notices).

You can use the standardised DPIA template developed by the Health and Care IG Panel. It will also help you carry out the assessments required in steps 3 and 4 below.

A DPIA is required by law before you carry out processing of special category data on a large scale by an innovative technology, because this constitutes a high risk (see ICO's examples of processing ‘likely to result in high risk’). Failure to carry one out when required could result in a fine, prosecution and damage to reputation.

You may need to modify the DPIA or create a new one at later stages of the technology adoption pathway if you change an existing processing activity. For example, if you make significant changes to how or why personal data is processed, or the type or amount of data being processed. In other words, a DPIA should be considered a ‘live’ document, started as early as possible and updated throughout the life of your project.

Learn how to do a DPIA and take a risk-based approach using ICO's guide to DPIAs, which includes an example template and practical checklists.

Also see the HRA’s guidance on DPIAs for research. DPIAs for the processing of personal data that is done for the purpose of research are the responsibility of the sponsor.

In the context of technology adoption, doing a DPIA would normally be the responsibility of the relevant NHS or social care organisations in England and Wales.