Developers - How to comply with the UK GDPR as a developer- Step 2: Do a data protection impact assessment (DPIA)

Before you start processing health and care data or deploying a technology in a health or social care setting, you should consider carrying out a DPIA. This will help you identify and minimise any data protection problems early on, and to fully consider the risks to patients and service users. It will also help you build public trust because it will help you consider how to make your data processing transparent (such as through creating privacy notices).

You can use the standardised DPIA template developed by the Health and Care IG Panel. It will also help you carry out the assessments required in steps 3 and 4 below.

A DPIA is required by law before you carry out processing of special category data on a large scale by an innovative technology, because this constitutes a high risk (see the ICO's examples of processing ‘likely to result in high risk’). Failure to carry one out when required could result in a fine, prosecution and damage to reputation.

You should also consider the risks of any additional new data-processing activity you later add to your project, before any data processing begins.

You may need to modify the DPIA or create a new one at later stages of the technology development pathway if you change an existing processing activity, for example, if you make significant changes to how or why personal data is processed, or the type or amount of data being processed. In other words, a DPIA should be considered a ‘live’ document, started as early as possible and updated throughout the life of your project.

Learn how to do a DPIA and take a risk-based approach using the ICO's guide to DPIAs, which includes an example template and practical checklists. The HRA has also published guidance on DPIAs for research.