The precise requirements for this is where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”

More practically, the following list can be used to identify the activities that will require a data privacy impact assessment:

A) Systematic and extensive profiling with significant effects:

“(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”

B) Large scale use of sensitive data:

“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”

C) Public monitoring:

“(c) a systematic monitoring of a publicly accessible area on a large scale.”


The ICO has provided further clarification on this, stating ten types of processing that automatically require a data privacy impact assessment:

  1. New technologies: processing involving the use of new technologies, or the novel application of existing technologies (including AI).
  2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
  3. Large-scale profiling: any profiling of individuals on a large scale.
  4. Biometrics: any processing of biometric data.
  5. Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject.
  6. Data matching: combining, comparing or matching personal data obtained from multiple sources.
  7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort.
  8. Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.
  9. Targeting of children or other vulnerable individuals: The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
  10. Risk of physical harm: Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.
Did this answer your question?