DPIAs
Set a course for intention and accountability with our Data Protection Impact Assessments (DPIAs)
As organisations evolve, new projects can bring changes that impact how personal data is collected and used, especially when using AI. Assessing the privacy risks relating to the new or expanded use of personal data is a crucial part of data protection compliance. Conducting a data protection impact assessment (DPIA) demonstrates you have considered any perceived privacy risks at the outset of the processing and have identified and taken steps to minimise these risks.
Under the GDPR, conducting a DPIA is a legal requirement for “high risk” processing and failure to do so can result in penalties for your organisation.
Objective DPIA guidance
When completing DPIAs and risk assessments, our team of data protection lawyers and practitioners can support you with an impartial point of view and ensure your DPIA or risk assessment is aligned with regulatory requirements. We identify the technical and operational data protection risks involved with the use of personal data especially when you are using sensitive data, using children’s data, dealing with innovative technologies like AI or carrying out systematic monitoring using CCTV and other monitoring activities.
We review and input into DPIAs and risk assessments offering best practice guidance and advice. We can also conduct a DPIA on your behalf working with your teams, offering complete objectivity to the project or initiative.
Embedding data protection in project design
- We offer guidance at every stage of the DPIA to give you confidence that the assessment has been conducted rigorously and takes into account the commercial objectives that the business is trying to achieve at the same time, balancing compliance with commerciality.
- We outline the scope and nature of the processing detailing what personal data is being collected, whose personal data it is, where it is stored and when it’s deleted. We also review who has access to the personal data internally and externally and check the controls and contracts in place to ensure contracts contain the minimum standards required by the EU and UK GDPR.
- We provide perspective on the necessity and proportionality of the data processing, offering guidance on the lawful and transparent use of personal data in compliance with the GDPR.
- We take a measured approach to identifying risks, provide constructive commercial mitigation measures which can be implemented and set a foundation for regular reviews or testing to ensure any privacy risks remain well controlled.
- We also prepare an executive summary of the DPIA or risk assessment outcomes, which can be used for board presentations and senior stakeholder management, outlining privacy risks for the new or expanded processing.
To meet the team and find out more about our sector specialisms
Why choose HelloDPO?
Data protection expertise
Our team are experienced qualified data protection lawyers and practitioners at the forefront of UK and EU legislation, so our advice is always up to date and practical.
Comprehensive support and advice
We understand conducting a DPIA or risk assessment can raise privacy concerns with the use of personal data, however the support and guidance we provide is pragmatic, commercial and helpful, creating a positive experience for teams whereby data protection compliance is seen as a benefit not a burden.
Varied sector experience
With a wide range of sector experience including financial services, hospitality, retail, tech, automotive and more we’ll bring this wealth of knowledge to your organisation so you benefit from best practice across industries.
FAQs
In which situation is a DPIA needed?
- You must complete a DPIA where the use of personal data is considered to be “high risk” for example where there is the use of health or criminal conviction data or AI. If you are not sure if your processing meets this criteria, we can work with you to assess and advise you on what is considered “high risk” for both UK GDPR and for EU legislation.
At what point should we carry out a DPIA and how often should it be reviewed?
- A DPIA should be conducted at the start of any new project that may result in high risk data processing. If following completion of the DPIA any processing has changed, the DPIA should be revised and updated. A DPIA is a living document which should be kept in mind as the use of personal data changes over time. It is best practice to review DPIAs periodically depending on the risk posed by the use of personal data in a certain way.
What are the penalties if no DPIA has been completed?
- Penalties for failure to complete a DPIA when required can be severe. Under the EU and UK GDPR, enforcement action can include a fine of up to £8.7 million or €10 million, or 2% global annual turnover if higher.
Our experience...
Speaks for itself through collaboration with leading global brands such as…
- Tech giants
- Health tech start-ups
- Forward-thinking financial institutions
- Global dating app
- One of the largest entertainment record labels globally
- Shopping meccas
- National broadcasters
- Professional services firms and regulators
Sector specialisms and in-depth experience
Client retention rate and long lasting relationships
Learners who complete our data protection training each year
Don't just take our word for it
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma Witham
Director of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Don't just take our word for it
“We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them.”
Serena May
Director, Southern HR Ltd
Don't just take our word for it
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time.”
Craig Saunders
Head of International Privacy, Aetna Global Benefits (UK) Ltd
Don't just take our word for it
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
Don't just take our word for it
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth Hidalgo
Director, Chartered Accountants Worldwide
Don't just take our word for it
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay Patel
Finance Director, Cadogan Group Limited
Don't just take our word for it
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica Cozzani
Senior Legal Counsel, Compre Group
Don't just take our word for it
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua Anton
CEO, Outlogic
Don't just take our word for it
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!”
Clare Russell
Interim Head of Legal, Vue UK and Ireland
Don't just take our word for it
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team.”
Josh Towb
Head of Business Transformation, Jigsaw
Don't just take our word for it
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them.”
Rebecca Miller
Channel 4