GDPR Data Protection Impact Policy

Date CreatedDate 1st Review DueDate ReviewedVersionNext Review Due
February 2023February 2024  1 
February 20242February 2025

Data Protection Impact Assessment Policy

Article 25 is clear that:

“The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”


This policy and procedure establishes a process designed to help Egham Park School systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of our accountability obligations under the GDPR UK, and demonstrates how we comply with all of our data protection obligations.


Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing, that is likely to result in a high risk to the rights and freedoms of individuals.

Policy Statement

A DPIA aims to systematically and comprehensively analyse our data processing and help us to identify and minimise data protection risks. DPIAs consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.

When is a DPIA necessary?

Staff must conduct a DPIA before beginning any type of processing which is “likely to result in a high risk”.

In particular, the GDPR UK says you must do a DPIA if you plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale;
  • systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

How to carry out a DPIA

A DPIA should begin early in the life of a project, before processing has even started and should include these steps

  1. Identify a need for a DPIA
  2. Describe the processing
  3. Consider consultation
  4. Assess necessity and proportionality
  5. Identify and assess risks
  6. Identify measures to mitigate risks
  7. Sign off and record outcomes
  8. Integrate outcomes into plan
  9. Review

To help with this please refer to the Data Protection Impact Assessment template


  • The overall responsibility for ensuring compliance and performing data protection Impact Assessments activities at Egham Park School lies with the Senior Leadership Team
  • All staff that deal with personal data are responsible for processing in compliance with Egham Park School policies and procedures.
  • Staff must maintain any necessary records of compliance