Skip to main content

Thinking about introducing new tech or a contract where you or a third party are processing personal data? You’ll need an impact assessment!

Impact assessments are seldom used but are incredibly important (especially if you suffer a data breach) – here’s a reminder of what an impact assessment involves:

Identification – calling out the specific personal data your new tech or contract will be processing and how it’ll be used.

Security and safeguards – evidencing that you’ll ensure data isn’t processed beyond the purpose it was gathered, how it’ll be kept up to date, where (if anywhere) it’ll be transferred and how any potential risks to individuals’ privacy will be mitigated (restricting access, anonymisation, for example).

Action and follow-up – it’s one thing to identify potential data risks in your assessment, but a thorough and robust process will capture the actions needed to address or minimise those risks. Make sure you have a record of all follow-ups.

Our data protection toolkit contains a template impact assessment and guidance on creating robust data processing practices – get in touch to find out more.


This update is accurate on the date it was posted (17 August 2022), but may be subject to change which may or may not be notified to you. This update is not to be taken as advice and you should seek advice if anything contained within affects you or your business.

Leave a Reply