Accurate
Country-specific legal content
Drafted with legal expertise for each jurisdiction, far more thorough than AI-generated drafts that copy generic clauses across borders.
GDPRUnited Kingdom
UK DPIA Workbook Template (UK GDPR Article 35)
Draft a UK Data Protection Impact Assessment workbook for any high-risk processing operation under Article 35 of the UK GDPR. The template generates the four mandatory sections of Article 35(7) — systematic description of processing, necessity and proportionality, risk assessment, measures envisaged — plus optional Article 36 prior consultation with the ICO, Article 35(9) stakeholder consultation, EU AI Act 2024 classification and Data (Use and Access) Act 2025 overlays. Failure to carry out a DPIA when required is itself a UK GDPR Article 83(4)(a) infringement — penalty up to £8.7 million or 2% of global annual turnover.
Free to useInstant PDFNo account required
PDF (free) + editable Word (.docx) with Expert
Data Protection Impact Assessment
Patient-outcome Predictive Analytics ("Project Atlas") · Controller: Ravenscourt Health Insights Ltd · V2.1 · 2026-06-03
PROJECT IDENTIFICATION
| CONTROLLER | Ravenscourt Health Insights Ltd · ICO Z A 7841 09 |
| REGISTERED ADDRESS | 14 Curtain Road, London EC2A 3LT |
| PROJECT NAME | Patient-Outcome Predictive Analytics ("Project Atlas") |
| PROJECT ID / REF | PROJ-2026-014 |
| PROJECT OWNER | Dr Helena Margaret Standish · Chief Clinical Officer |
| DATA PROTECTION OFFICER | Joanne Catherine Pemberton · dpo@ravenscourt-health.co.uk · 020 7946 0411 |
| ASSESSMENT DATE | 2026-06-03 |
| VERSION | 2.1 |
1.
WHY A DPIA WAS CARRIED OUT
1.1 A Data Protection Impact Assessment is required under Article 35(1) of the UK GDPR where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the processing. Article 35(3) requires a DPIA in the cases of (a) systematic and extensive profiling with significant effects, (b) large-scale processing of special-category or criminal data, and (c) systematic monitoring of publicly accessible areas. The ICO's Article 35(4) list adds further high-risk processing categories — innovative technology (AI / biometrics), denial of service based on automated decision, large-scale profiling, special-category at scale (including children), tracking individuals' location or behaviour, and combining / matching / comparing datasets.
1.2 The Controller considered the project against Article 35(1), Article 35(3) and the ICO Article 35(4) list and concluded that a DPIA is required by reason of the following triggers:
The project triggers a DPIA on the following grounds: (i) Article 35(3)(b) — large-scale processing of special-category data (health data, 180,000 patients/year); (ii) ICO Article 35(4) list — innovative technology (AI/ML); (iii) ICO Article 35(4) list — large-scale profiling (readmission-risk score is a profile within Article 4(4)); (iv) Article 35(3)(a) — systematic and extensive profiling with significant effects (predictions inform clinical decisions); (v) ICO Article 35(4) list — special category data at scale; (vi) WP248 nine-criteria scoring: 4 of 9 criteria met.
1.2 The Controller considered the project against Article 35(1), Article 35(3) and the ICO Article 35(4) list and concluded that a DPIA is required by reason of the following triggers:
The project triggers a DPIA on the following grounds: (i) Article 35(3)(b) — large-scale processing of special-category data (health data, 180,000 patients/year); (ii) ICO Article 35(4) list — innovative technology (AI/ML); (iii) ICO Article 35(4) list — large-scale profiling (readmission-risk score is a profile within Article 4(4)); (iv) Article 35(3)(a) — systematic and extensive profiling with significant effects (predictions inform clinical decisions); (v) ICO Article 35(4) list — special category data at scale; (vi) WP248 nine-criteria scoring: 4 of 9 criteria met.
2.
STEP 1 — SYSTEMATIC DESCRIPTION OF THE PROCESSING (ART 35(7)(A))
2.1 Purposes.
Project Atlas deploys an AI model to predict 30-day readmission risk for NHS patients discharged from acute hospital settings. The model uses structured EHR data + freeform clinician notes + admission-pathway events. Predictions are presented to the clinical team via a dashboard and inform discharge planning and community-care intervention prioritisation.
2.2 Categories of data subjects.
NHS in-patients (18 years and over) discharged from contracted NHS Trusts in England; estimated 180,000 distinct patients in year 1; secondary use of historical records spanning 5 years for model training.
2.3 Categories of personal data.
Direct identifiers (NHS number, name, DOB, address); demographic data (gender, ethnicity); clinical data (diagnoses ICD-11, procedures OPCS-4, prescriptions); admission / discharge events; freeform clinician notes (post-de-identification); lab results; observations (vital signs); risk factors (smoking, BMI, comorbidities).
2.4 Special category data processed.
The processing involves health data within Article 9(1) UK GDPR. The Article 9(2) condition relied on is Article 9(2)(h) — provision of health or social care or treatment, supplemented by the conditions in Schedule 1 Part 1 of the Data Protection Act 2018 (health and social care purposes, paragraphs 2-3).
2.5 Sources of personal data.
Direct from contracted NHS Trust electronic health record systems via secure FHIR API; no data is collected directly from data subjects.
2.6 Recipients of personal data.
Internal: Ravenscourt clinical-AI team (access-controlled). Processor: Microsoft Azure UK South (UK-only data residency). NHS Trust users: dashboard access for treating clinicians only. No personal data is shared with third-party advertisers, brokers or analytics providers.
2.7 International transfers. International Data Transfer Agreement / Addendum to EU SCCs (Article 46 UK GDPR).
Microsoft Azure UK South is the contracted data-residency region. The Microsoft DPA / standard IDTA is in place. Microsoft sub-processor list is reviewed quarterly; any non-UK sub-processor onboarded with appropriate transfer mechanism (IDTA / Article 49 derogation as applicable, with TIA).
2.8 Retention period. Personal data: retained for 7 years after last patient contact in accordance with NHS Records Management Code of Practice 2021 schedule; pseudonymised model-training datasets: retained for 10 years for model versioning and reproducibility, then securely destroyed.
Project Atlas deploys an AI model to predict 30-day readmission risk for NHS patients discharged from acute hospital settings. The model uses structured EHR data + freeform clinician notes + admission-pathway events. Predictions are presented to the clinical team via a dashboard and inform discharge planning and community-care intervention prioritisation.
2.2 Categories of data subjects.
NHS in-patients (18 years and over) discharged from contracted NHS Trusts in England; estimated 180,000 distinct patients in year 1; secondary use of historical records spanning 5 years for model training.
2.3 Categories of personal data.
Direct identifiers (NHS number, name, DOB, address); demographic data (gender, ethnicity); clinical data (diagnoses ICD-11, procedures OPCS-4, prescriptions); admission / discharge events; freeform clinician notes (post-de-identification); lab results; observations (vital signs); risk factors (smoking, BMI, comorbidities).
2.4 Special category data processed.
The processing involves health data within Article 9(1) UK GDPR. The Article 9(2) condition relied on is Article 9(2)(h) — provision of health or social care or treatment, supplemented by the conditions in Schedule 1 Part 1 of the Data Protection Act 2018 (health and social care purposes, paragraphs 2-3).
2.5 Sources of personal data.
Direct from contracted NHS Trust electronic health record systems via secure FHIR API; no data is collected directly from data subjects.
2.6 Recipients of personal data.
Internal: Ravenscourt clinical-AI team (access-controlled). Processor: Microsoft Azure UK South (UK-only data residency). NHS Trust users: dashboard access for treating clinicians only. No personal data is shared with third-party advertisers, brokers or analytics providers.
2.7 International transfers. International Data Transfer Agreement / Addendum to EU SCCs (Article 46 UK GDPR).
Microsoft Azure UK South is the contracted data-residency region. The Microsoft DPA / standard IDTA is in place. Microsoft sub-processor list is reviewed quarterly; any non-UK sub-processor onboarded with appropriate transfer mechanism (IDTA / Article 49 derogation as applicable, with TIA).
2.8 Retention period. Personal data: retained for 7 years after last patient contact in accordance with NHS Records Management Code of Practice 2021 schedule; pseudonymised model-training datasets: retained for 10 years for model versioning and reproducibility, then securely destroyed.
3.
STEP 2 — NECESSITY AND PROPORTIONALITY (ART 35(7)(B))
3.1 Lawful basis. The processing is undertaken on the lawful basis of Public task (Article 6(1)(e) UK GDPR). The Article 9(2) condition relied upon for special-category data is: Article 9(2)(h) UK GDPR (provision of health or social care or treatment) supplemented by Schedule 1 Part 1 paragraphs 2-3 DPA 2018, given the NHS clinical-care purpose..
3.2 Necessity.
Predictive analytics for readmission risk is necessary to support clinical discharge planning. Without the AI model, manual readmission-risk identification relies on subjective clinician judgement which evidence indicates misses 25-40% of high-risk patients. The processing is the minimum required to achieve a clinically validated readmission-risk score; less-intrusive alternatives (less data, less granular) have been considered and would not achieve adequate predictive performance for the population.
3.3 Proportionality.
Data minimisation: only fields with demonstrated predictive value retained; freeform clinician notes processed via NER + pseudonymisation pipeline before model exposure. Purpose limitation: data used only for readmission-risk scoring + model performance monitoring. Storage limitation: 7-year retention aligned with NHS Records Management Code. Transparency: data subjects informed via Trust privacy notice and the Atlas project landing page (ravenscourt-health.co.uk/atlas-transparency). Data-subject rights operationalised through Trust-led SAR process within 1 month per Article 12(3).
3.2 Necessity.
Predictive analytics for readmission risk is necessary to support clinical discharge planning. Without the AI model, manual readmission-risk identification relies on subjective clinician judgement which evidence indicates misses 25-40% of high-risk patients. The processing is the minimum required to achieve a clinically validated readmission-risk score; less-intrusive alternatives (less data, less granular) have been considered and would not achieve adequate predictive performance for the population.
3.3 Proportionality.
Data minimisation: only fields with demonstrated predictive value retained; freeform clinician notes processed via NER + pseudonymisation pipeline before model exposure. Purpose limitation: data used only for readmission-risk scoring + model performance monitoring. Storage limitation: 7-year retention aligned with NHS Records Management Code. Transparency: data subjects informed via Trust privacy notice and the Atlas project landing page (ravenscourt-health.co.uk/atlas-transparency). Data-subject rights operationalised through Trust-led SAR process within 1 month per Article 12(3).
4.
STEP 3 — RISK IDENTIFICATION AND ASSESSMENT (ART 35(7)(C))
4.1 The Controller has identified the following risks to the rights and freedoms of data subjects from the processing. Likelihood and severity are assessed on a five-level scale (Negligible / Low / Medium / High / Very High); residual risk is the assessed risk after the safeguards in Step 4 are taken into account.
RISK REGISTER
| Risk to data subject | Likelihood | Severity | Residual risk |
|---|---|---|---|
| Re-identification of pseudonymised training data via auxiliary data joins | Medium | High | Low |
| Model bias against ethnic minorities or socio-economically disadvantaged cohorts producing inequitable predictions | Medium | Very High | Medium |
| Sole-automated-decision misuse — clinician follows model output without independent assessment | High | High | Medium |
| Unauthorised disclosure of clinician notes during processor sub-processor transfer | Low | High | Low |
| Model drift over time causing inaccurate predictions | High | Medium | Low |
| Function creep — extension of Atlas to non-clinical use cases (insurance pricing, employment) | Low | Very High | Low |
5.
POTENTIAL CONSEQUENCES OF A DATA BREACH
5.1 Disclosure of health data (Article 9(1) special category) carries severe consequences for data subjects: stigma; insurance discrimination; family / social distress; loss of trust in NHS systems. The reputational consequences for the Controller and contracting NHS Trusts would be material. Article 33 / 34 breach notification thresholds met for most plausible breach scenarios.
6.
STEP 4 — MEASURES AND SAFEGUARDS TO ADDRESS RISKS (ART 35(7)(D))
6.1 Technical measures.
AES-256 encryption at rest (Azure Storage SSE-KEK); TLS 1.3 in transit; pseudonymisation pipeline (k-anonymity ≥ 5 for training data); access control via Azure AD with conditional access; full audit logging with WORM retention 7 years; vulnerability management cycle (monthly scan, quarterly pen-test); SDLC with secure-by-design review at every model release; backup with 30-day recovery point objective.
6.2 Organisational measures.
DPIA refresh annually + on material change; data-protection by design / by default reviewed at each model release; all clinical-AI team members hold IG mandatory training + annual refresher; least-privilege access enforced with quarterly access review; supplier management with DPA + DPIA + ISO 27001 / SOC 2 audit; ICO Personal Data Breach SOP with 72-hour clock; bias-monitoring framework with quarterly bias-impact report to the Clinical Safety Officer.
6.3 Transfer safeguards.
Microsoft Azure UK South contracted data-residency region; Microsoft DPA + UK Addendum to EU SCCs in place; Microsoft sub-processor list reviewed quarterly; UK-only sub-processors mandatory for personal data unless specific TIA cleared; Schrems II transfer-impact assessment (TIA) completed for any non-UK sub-processor.
6.4 Data-subject rights measures.
Trust privacy notice updated to identify Ravenscourt as processor + Atlas as the processing activity; dedicated Atlas project landing page with plain-language explanation; SAR / Article 15 access response within 1 month via Trust SAR team; Article 17 erasure available where lawful basis lapses; Article 22 human-review pathway via clinical-AI team available in all clinical workflows; ICO complaints route signposted at ico.org.uk/concerns.
AES-256 encryption at rest (Azure Storage SSE-KEK); TLS 1.3 in transit; pseudonymisation pipeline (k-anonymity ≥ 5 for training data); access control via Azure AD with conditional access; full audit logging with WORM retention 7 years; vulnerability management cycle (monthly scan, quarterly pen-test); SDLC with secure-by-design review at every model release; backup with 30-day recovery point objective.
6.2 Organisational measures.
DPIA refresh annually + on material change; data-protection by design / by default reviewed at each model release; all clinical-AI team members hold IG mandatory training + annual refresher; least-privilege access enforced with quarterly access review; supplier management with DPA + DPIA + ISO 27001 / SOC 2 audit; ICO Personal Data Breach SOP with 72-hour clock; bias-monitoring framework with quarterly bias-impact report to the Clinical Safety Officer.
6.3 Transfer safeguards.
Microsoft Azure UK South contracted data-residency region; Microsoft DPA + UK Addendum to EU SCCs in place; Microsoft sub-processor list reviewed quarterly; UK-only sub-processors mandatory for personal data unless specific TIA cleared; Schrems II transfer-impact assessment (TIA) completed for any non-UK sub-processor.
6.4 Data-subject rights measures.
Trust privacy notice updated to identify Ravenscourt as processor + Atlas as the processing activity; dedicated Atlas project landing page with plain-language explanation; SAR / Article 15 access response within 1 month via Trust SAR team; Article 17 erasure available where lawful basis lapses; Article 22 human-review pathway via clinical-AI team available in all clinical workflows; ICO complaints route signposted at ico.org.uk/concerns.
7.
STEP 5 — DPO ADVICE (ART 35(2) UK GDPR)
7.1 The Data Protection Officer was consulted on this DPIA. The DPO's advice is:
The DPO has reviewed the DPIA and considers that (i) the lawful basis (Article 6(1)(e) + Article 9(2)(h)) is well-founded; (ii) the data minimisation and pseudonymisation pipeline meets the standard expected for clinical AI; (iii) the bias-monitoring framework is necessary and appropriate given the equity risks at the AI level; (iv) the project does NOT trigger Article 36 prior consultation given the residual risk after the safeguards in Step 4 is Medium / Low; (v) the project should proceed subject to the bias-monitoring framework being operational at clinical go-live.
The DPO has reviewed the DPIA and considers that (i) the lawful basis (Article 6(1)(e) + Article 9(2)(h)) is well-founded; (ii) the data minimisation and pseudonymisation pipeline meets the standard expected for clinical AI; (iii) the bias-monitoring framework is necessary and appropriate given the equity risks at the AI level; (iv) the project does NOT trigger Article 36 prior consultation given the residual risk after the safeguards in Step 4 is Medium / Low; (v) the project should proceed subject to the bias-monitoring framework being operational at clinical go-live.
8.
STAKEHOLDER / DATA-SUBJECT CONSULTATION (ART 35(9))
8.1 Under Article 35(9) UK GDPR, the Controller is required, where appropriate, to seek the views of data subjects or their representatives on the intended processing. The Controller has consulted the following stakeholders:
Patient and Public Involvement (PPI) panel consulted twice (April 2026 and May 2026) — 18 participants, including 6 patients with recent acute discharge and 4 carers. PPI feedback shaped the transparency landing page, the opt-out pathway and the freetext-redaction rules. NHS Trust Caldicott Guardians from each contracting Trust consulted and signed off the data-flow design. Royal College of Physicians AI Subcommittee provided informal advisory input.
Patient and Public Involvement (PPI) panel consulted twice (April 2026 and May 2026) — 18 participants, including 6 patients with recent acute discharge and 4 carers. PPI feedback shaped the transparency landing page, the opt-out pathway and the freetext-redaction rules. NHS Trust Caldicott Guardians from each contracting Trust consulted and signed off the data-flow design. Royal College of Physicians AI Subcommittee provided informal advisory input.
9.
AI ACT AND ARTICLE 22 UK GDPR — AUTOMATED DECISION-MAKING
10.1 Where the processing involves AI systems or automated decision-making, the Controller has assessed the project against EU Regulation 2024/1689 (the EU AI Act) and Article 22 of the UK GDPR. The EU AI Act has extra-territorial application where AI output is used by persons located in the EU. The AI classification under the EU AI Act is: High-risk AI system under Annex III(5)(b) (health services) — EU AI Act Chapter III obligations apply where output is used by deployers located in the EU. Ravenscourt has decided to align the project to the EU AI Act high-risk requirements regardless of UK-only deployment at this stage, to preserve cross-border deployment optionality..
10.2 Under Article 22 UK GDPR, decisions producing legal or similarly significant effects must not be based solely on automated processing save where Article 22(2) permits and appropriate safeguards have been applied. The Controller ensures human review is available; meaningful information about the logic involved and the significance and envisaged consequences of any such processing is provided under Articles 13(2)(f), 14(2)(g) and 15(1)(h) UK GDPR. The ICO's 2024 guidance on AI and data protection has been considered.
10.2 Under Article 22 UK GDPR, decisions producing legal or similarly significant effects must not be based solely on automated processing save where Article 22(2) permits and appropriate safeguards have been applied. The Controller ensures human review is available; meaningful information about the logic involved and the significance and envisaged consequences of any such processing is provided under Articles 13(2)(f), 14(2)(g) and 15(1)(h) UK GDPR. The ICO's 2024 guidance on AI and data protection has been considered.
10.
DATA (USE AND ACCESS) ACT 2025 — IMPACT ASSESSMENT
11.1 The Controller has considered the impact of the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025; key provisions in force from 5 February 2026) on this processing. The Act amends the UK GDPR / DPA 2018 framework to introduce: clarified legitimate-interests scoping; new "recognised legitimate interests" (Annex 1 to Schedule 4); modified rules on automated decision-making (potentially relaxing Article 22(1)); enhanced ICO enforcement and complaint procedure; and Smart Data + National Underground Asset Register provisions. 11.2 The Controller will keep this DPIA under review as the ICO publishes updated guidance (next round expected Summer 2026) and will amend the assessment where DUA Act 2025 provisions modify the legal basis, automated-decision treatment or any other aspect of the processing.
11.
OUTCOME AND SIGN-OFF
The Controller has completed the DPIA in accordance with Article 35(7) UK GDPR and the ICO's DPIA Guidance. The Controller confirms that, having regard to the risks identified, the measures envisaged are reasonably necessary and proportionate to address those risks; that the residual risk is acceptable and the processing may proceed. The Controller will keep the DPIA under review and amend it where the nature, scope, context or purposes of the processing change materially. Penalty for non-compliance with Article 35 UK GDPR is up to £8.7 million or 2% of global annual turnover, whichever is higher (Article 83(4)(a) UK GDPR).
12.
GOVERNING LAW
This DPIA is undertaken in accordance with the UK GDPR and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025, and is governed by the law of England and Wales.
Sign-off: By signing below the Project Owner adopts the DPIA and confirms that the project will not proceed without the measures and safeguards at Step 4 being in place. The Data Protection Officer countersigns to confirm the advice given at Step 5.
PROJECT OWNER
Dr Helena Margaret Standish
Chief Clinical Officer
Date: ____________________
DATA PROTECTION OFFICER
Joanne Catherine Pemberton
Data Protection Officer
Date: ____________________
Available as a print-ready PDF or an editable Microsoft Word (.docx) file.
What Is a UK DPIA Workbook?
A UK Data Protection Impact Assessment (DPIA) is a structured workbook required by Article 35 of the UK GDPR for any type of processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is the British controller's primary accountability artefact for high-risk processing — it documents what processing is envisaged, why it is necessary and proportionate, what risks it poses to data subjects, and what measures are taken to address those risks. The four mandatory contents are set out in Article 35(7) and must be in the DPIA itself, not merely referenced from external documents.
In the United Kingdom, Article 35(3) lists three types of processing that always require a DPIA: (a) systematic and extensive evaluation based on automated processing including profiling, with significant effects; (b) large-scale processing of special-category data (Article 9) or criminal-conviction data (Article 10); or (c) systematic monitoring of publicly accessible areas. The Information Commissioner's Office has published an Article 35(4) list of additional high-risk processing types — innovative technology (AI / biometrics), denial of service based on automated decision, large-scale profiling, special-category at scale (including children), tracking individuals' location or behaviour, and combining / matching / comparing datasets.
The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025, key provisions in force 5 February 2026) has begun to reshape the UK DPIA landscape. The ICO is updating its DPIA Guidance in two phases (Winter 2025/2026 and Summer 2026). A 2026-ready British DPIA workbook integrates DUA Act 2025 considerations — clarified legitimate-interests scoping, new "recognised legitimate interests" in Annex 1 to Schedule 4, modified rules on automated decision-making — alongside the EU AI Act 2024 (Regulation 2024/1689) where the processing involves AI systems.
What's Covered in This UK Template
Our UK DPIA template produces a structured workbook compliant with Article 35(7) UK GDPR with optional Article 36, AI Act and DUA Act 2025 overlays.
Project Identification + DPO Sign-Off
Controller details, project name and ID, project owner + DPO + assessment date and version laid out as a kv-table on the front page. Sign-off by both Project Owner and Data Protection Officer at the foot of the workbook.
Why a DPIA Was Carried Out
Explicit identification of the Article 35(3) mandatory triggers and the ICO Article 35(4) additional high-risk processing types relevant to the British project — a structured grounding rather than a generic preamble.
Step 1 — Systematic Description (Art 35(7)(a))
Purposes, categories of data subjects, categories of personal data (including special-category data under Article 9(1) and criminal data under Article 10), sources, recipients, international transfers (with IDTA / Article 49 derogation analysis), retention period.
Step 2 — Necessity and Proportionality (Art 35(7)(b))
Article 6 lawful basis + Article 9(2) condition (where special-category), necessity basis, proportionality assessment, Article 35(3) and 35(4) triggers analysed in the British context.
Step 3 — Risk Register (Art 35(7)(c))
Expert mode unlocks the structured risk register — each risk rated for likelihood × severity, with the post-mitigation residual risk. The residual risk drives the Article 36 prior-consultation decision in Step 5.
Step 4 — Measures and Safeguards (Art 35(7)(d))
Expert mode adds the four-category measures clause: technical measures (encryption, pseudonymisation, access control, audit logging); organisational measures (training, supplier management, data-protection by design); transfer safeguards; data-subject rights operationalisation.
Step 5 — DPO Advice (Art 35(2))
Expert mode adds the mandatory DPO consultation clause — the DPO's written advice on necessity, risk-rating, measures and any Article 36 trigger. Mandatory where a DPO is appointed (which the ICO recommends for all public authorities and most private-sector controllers processing at scale).
Stakeholder Consultation (Art 35(9))
Where appropriate, Article 35(9) UK GDPR requires the British controller to seek the views of data subjects or their representatives on the intended processing — Patient and Public Involvement panels (NHS), Trade Union consultations, Caldicott Guardians, sectoral subcommittees.
Article 36 Prior Consultation Trigger
Where residual risk is HIGH after the Step 4 measures, the British controller must consult the ICO before processing — Article 36 UK GDPR. The ICO has 8 weeks (extendable by 6 weeks for complex processing) to respond.
EU AI Act 2024 + Article 22 UK GDPR
For projects involving AI systems or automated decision-making, the EU AI Act classification (Annex III high-risk) and Article 22 UK GDPR analysis — meaningful information about logic under Articles 13(2)(f), 14(2)(g) and 15(1)(h), human review pathway under Article 22(3).
DUA Act 2025 Impact Assessment
Forward-looking — Data (Use and Access) Act 2025 considerations: clarified legitimate-interests scoping, recognised legitimate interests (Annex 1 to Schedule 4), modified automated-decision rules, enhanced ICO enforcement framework. The 2026-ready UK DPIA integrates this.
Outcome + Penalty Recital
Final outcome and sign-off with explicit recital of the Article 83(4)(a) penalty (£8.7 million or 2% global turnover) — a UK Board-level reminder of why the DPIA must be robust.
How to Create a UK DPIA
Follow these five steps to produce a structured DPIA workbook that the ICO and the Board will recognise as compliant with Article 35(7) UK GDPR.
- 1
Enter Project Identification + DPO
Enter the UK controller name, registered address, ICO registration number; the project name and internal ID; the project owner (the operational accountable individual) and the Data Protection Officer name + contact details. Set the assessment date and version. This is the British accountability metadata.
- 2
Step 1 — Describe the Processing Systematically
Enter the purposes of the processing (be specific — generic descriptions fail the ICO test), the categories of data subjects (with estimated volume), the categories of personal data (note any special-category data under Article 9(1) or criminal data under Article 10), the sources of data, the recipients (internal + processors + third parties), the international transfers (with Article 45 adequacy / Article 46 IDTA-SCC / Article 49 derogation analysis), and the retention period and its justification.
- 3
Step 2 — Necessity, Proportionality and Triggers
Pick the Article 6 lawful basis (and the Article 9(2) condition for special-category data). Explain the necessity (why the processing is needed and why a less-intrusive alternative is not available) and the proportionality (data minimised, purpose limited, storage limited, transparent). Identify which Article 35(3) and Article 35(4) triggers apply to your British project. Pick the governing law (England & Wales / Scotland / NI).
- 4
Unlock Expert: Risk Register + Measures + DPO Advice
In Expert mode, build the structured risk register — each risk rated for likelihood × severity × residual after mitigation. Build the four-category measures clause — technical, organisational, transfer safeguards, data-subject rights operationalisation. Record the DPO consultation and advice (mandatory under Article 35(2) where a DPO is appointed in the UK). Record any Article 35(9) stakeholder consultation.
- 5
Decide Article 36 + Add AI Act and DUA Act Overlays
If residual risk after Step 4 measures is HIGH, trigger Article 36 prior consultation with the ICO (the ICO has 8 weeks to respond, extendable by 6 weeks). Add the EU AI Act 2024 classification clause where AI is involved (Annex III high-risk categories). Add the DUA Act 2025 impact-assessment clause to make the workbook 2026-ready. Download as PDF for Project Owner and DPO sign-off and file in the British controller's DPIA register.
Why Doxuno documents are different
Four things that make our templates more thorough than AI-generated drafts and more current than static template libraries.
Always current
Always current with the law
Templates carrying statute references are continuously updated as the law changes. Your document always reflects the current legal framework.
Free PDF
Print-ready PDF
Free to download. Vector text, embedded fonts, statute citations baked in. Print, sign, file. Ready for any signing flow including electronic signature.
Word · .docx
Editable Word (.docx)
Continue editing in Word after download. Add custom clauses, reuse the template for similar agreements, or share with a colleague for collaborative review.
Requires Expert one-time unlock or any paid Doxuno subscription.
Legal Considerations
A UK DPIA is a regulatory artefact — it must be substantively complete and accurate, not just procedurally undertaken.
This template is for informational purposes only and does not constitute legal advice. For complex processing (AI systems, large-scale special-category processing, international transfers to non-adequacy jurisdictions, public-authority processing), instruct a UK data-protection solicitor or Outsourced DPO with sectoral experience.
Reviewed for England & Wales data-protection practice (June 2026)
Article 35 — The DPIA Obligation
Article 35(1) of the UK GDPR requires the controller to carry out a DPIA before processing where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. Article 35(3) lists three types of processing that always require a DPIA. The ICO has published an Article 35(4) list of additional high-risk processing types under section 65 DPA 2018. Failure to carry out a DPIA when required is itself an infringement under Article 83(4)(a) — penalty up to £8.7 million or 2% of global annual turnover, whichever is higher. The DPIA must be in writing, must be undertaken by the controller (with the assistance of the DPO under Article 35(2)) and must precede the processing.
Article 35(7) — The Four Mandatory Contents
Article 35(7) UK GDPR sets out the four contents a DPIA MUST contain: (a) a systematic description of the envisaged processing operations and the purposes of the processing (including, where applicable, the legitimate interest pursued by the controller); (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects (typically rated for likelihood and severity with residual risk after mitigation); and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the UK GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned. The template produces all four in structured form.
Article 36 — Prior Consultation with the ICO
Article 36 UK GDPR requires the British controller to consult the ICO prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk. The ICO must be provided with the DPIA, plus a description of the controller's respective responsibilities and intended measures, plus the contact details of the DPO. The ICO has up to 8 weeks to respond (extendable by 6 weeks for complex processing). The controller may not commence processing until the ICO has provided written advice. Triggering Article 36 unnecessarily delays projects; failing to trigger when required is itself an infringement under Article 83(4)(a). The decision to trigger Article 36 is one of the most important judgments in any UK DPIA.
DUA Act 2025 and the Evolving ICO Guidance
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, with key provisions in force from 5 February 2026. The Act amends the UK GDPR / DPA 2018 framework to introduce: clarified legitimate-interests scoping; new "recognised legitimate interests" listed in Annex 1 to Schedule 4 (which are a clearer Article 6(1)(f) basis for specified processing); modified rules on automated decision-making (potentially relaxing Article 22(1) for some forms of decision-making, subject to safeguards); enhanced ICO enforcement and complaint procedure; and Smart Data + National Underground Asset Register provisions. The ICO is updating its DPIA Guidance in two phases — Winter 2025/2026 and Summer 2026. A 2026-ready UK DPIA workbook integrates DUA Act 2025 considerations.
Frequently Asked Questions
Draft Your UK DPIA Workbook Now
Use our free UK GDPR Article 35 template to produce a structured Data Protection Impact Assessment workbook for any high-risk processing operation. Expert mode unlocks the structured risk register, four-category measures clause, DPO consultation, Article 35(9) stakeholder consultation, Article 36 prior-consultation trigger, EU AI Act 2024 classification and Data (Use and Access) Act 2025 overlays — the complete 2026-ready British DPIA toolkit.
Free PDF · Editable Word with Expert · No account required