Audit modelICO “Have we written a good DPIA?” checklist
ICOPIA
This checklist helps evaluate the quality and completeness of a Data Protection Impact Assessment (DPIA), ensuring it is clear, thorough, and demonstrates compliance with UK GDPR requirements. More information on: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/
This checklist is provided for general guidance only and does not constitute legal advice. Completing it does not replace a full risk assessment or professional legal consultation. Organisations remain responsible for ensuring compliance with the UK GDPR and for seeking expert advice where necessary.
1. ICO “Have we written a good DPIA?” checklist
1.1. confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;
1.2. explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;
1.3. structured the document clearly, systematically and logically;
1.4. written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;
1.5. set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;
1.6. ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;
1.7. explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);
1.8. explained how we plan to support the relevant information rights of our data subjects;
1.9. identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;
1.10. explained sufficiently how any proposed mitigation reduces the identified risk in question;
1.11. evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them;
1.12. given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;
1.13. attached any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents;
1.14. recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;
1.15. agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;
1.16. consulted the ICO if there are residual high risks we cannot mitigate.
Created at:07/10/2025
Updated on :07/25/2025
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Author :