Home / Services / GDPR / DPIAs
GDPR

Data Protection Impact Assessments DPIAs Under Article 35

Expert guidance on when Data Protection Impact Assessments are required and support in conducting them. We assess the necessity, proportionality and risks of your data processing — helping you demonstrate accountability and make informed decisions about new systems, processes and technologies.

Discuss a DPIA 0333 3233 785
Art 35DPIA requirement
High RiskProcessing trigger
ICOPrior consultation when needed
AccountabilityDemonstrated compliance
Impact Assessments

When Do You Need a DPIA?

A workplace risk assessment is a systematic examination of your work activities, premises and processes to identify what could cause harm to people — and whether you're doing enough to prevent it. Under the Management of Health and Safety at Work Regulations 1999 (MHSWR), every employer must carry out a suitable and sufficient assessment of the risks to the health and safety of their employees and anyone else who may be affected by their work activities.

If you have five or more employees, the significant findings of your risk assessment must be recorded in writing. But regardless of your size, risk assessment is the foundation of every health and safety management system — without it, you're managing safety blind.

RADCaT's qualified health and safety consultants carry out thorough, practical workplace risk assessments for businesses of every size and sector across the UK. We don't produce generic templates — we visit your premises, walk your processes, talk to your team and produce site-specific, task-specific assessments that genuinely reflect your operations and give you a clear, prioritised action plan for improvement.

Whether you need a general workplace risk assessment for your office, a task-specific assessment for high-risk activities in a factory, a site-wide review for a multi-building campus, or a pre-project risk assessment for a construction site — RADCaT delivers expert, HSE-compliant assessments tailored to your industry and your operations.

If you should have done a DPIA and didn't, the ICO will ask why. Conducting DPIAs proactively demonstrates the accountability that regulators want to see — and often identifies risks you hadn't considered.

DPIAs from RADCaT
Types of Risk Assessment

DPIA Services

From screening to full assessment and ICO consultation.

DPIA Screening

Assessment of whether your proposed processing requires a DPIA. Using ICO screening criteria and the Article 29 Working Party guidelines to determine whether the high-risk threshold is met.

Full DPIA Conduct

End-to-end DPIA following ICO methodology — description of processing, necessity and proportionality assessment, risk identification, risk mitigation and documented conclusions.

Risk Assessment

Identification and evaluation of risks to individuals from the proposed processing — considering likelihood and severity of impact on rights and freedoms.

Mitigation Planning

Specification of measures to reduce identified risks — technical controls, organisational measures, transparency enhancements and individual safeguards.

ICO Prior Consultation

Where residual risk remains high after mitigation, we prepare and manage the prior consultation submission to the ICO under Article 36.

DPIA Register

Maintenance of your DPIA register — documenting all assessments conducted, outcomes, mitigations implemented and review dates.

Every Industry

Risk Assessments for Your Sector

Every industry has different hazards. We tailor every assessment to your specific sector and operations.

Factories & Warehousing

Machinery, forklift, racking, noise

Transport & Logistics

Depot safety, loading bays, vehicles

Construction

CDM, excavations, heights, demolition

Schools & Education

Classrooms, labs, playgrounds, trips

Care & Healthcare

Patient handling, clinical, infection

Chemical

Process safety, COSHH, DSEAR

Hospitality

Kitchens, fire, slips, public safety

SMEs & Offices

DSE, fire, general workplace

Charities

Events, lone working, volunteers
Our Process

How We Carry Out a Risk Assessment

1

Screening

We assess whether the proposed processing triggers the DPIA requirement using ICO screening criteria.

2

Processing Description

We document the proposed processing — nature, scope, context, purposes, data types, individuals affected and data flows.

3

Necessity & Proportionality

We assess whether the processing is necessary and proportionate to the stated purpose — can you achieve the same goal with less data or less intrusive processing?

4

Risk Assessment

We identify and evaluate risks to individuals — unauthorised access, data loss, discrimination, financial harm, reputational damage and loss of control over personal data.

5

Mitigation & Decision

We recommend risk mitigation measures, document your decision on whether to proceed and establish the review schedule.

Related Services

Complete Your Compliance Puzzle

External DPO

Data Protection Officer

GDPR Audits

Compliance gap analysis

DPIAs

Privacy impact assessments

Policy Development

Privacy & data policies

Breach Response

72-hour notification support

Subject Access

SAR & FOI management

GDPR Training

Staff awareness courses

Schools DPO

Education sector specialist

Health & Safety

Workplace compliance

HR Services

Employment law support

On-Site Training

At your premises

Cybersecurity Training

Phishing & data security
Common Questions

DPIAs FAQ

When is a DPIA legally required?

When processing is likely to result in a high risk to individuals. Specific triggers: systematic profiling with significant effects, large-scale special category data processing, large-scale public area monitoring, new technology with novel data use, and anything on the ICO's published list of processing requiring a DPIA.

Do schools need DPIAs?

Yes, in many situations — new MIS systems, CCTV installation, biometric registration, behaviour monitoring software, cloud migration of pupil data, data sharing with external agencies and any new processing of pupil special category data.

What happens if we don't do a required DPIA?

The ICO can take enforcement action for failure to conduct a DPIA when required. More practically, you miss the opportunity to identify and mitigate risks before they materialise — potentially leading to data breaches, complaints and reputational damage.

How long does a DPIA take?

Simple DPIAs for straightforward processing can be completed in days. Complex DPIAs involving multiple data flows, third parties and novel technology may take several weeks. We provide timescales after understanding your proposed processing.

Do you conduct the DPIA or just advise?

Both. We can conduct the entire DPIA on your behalf, or we can guide your internal team through the process, reviewing and advising at each stage. The approach depends on your internal capacity and preference.

What is ICO prior consultation?

If a DPIA identifies high residual risk that cannot be mitigated, you must consult the ICO before proceeding with the processing. The ICO has 8 weeks to respond. RADCaT prepares and manages the prior consultation submission.

How much does a DPIA cost?

Based on the complexity of the processing being assessed. Simple DPIAs to complex multi-system assessments. Contact us for a quote based on your specific processing activity.

Need a DPIA?

Tell us about your proposed processing and we'll advise whether a DPIA is needed and provide a quote.

Discuss a DPIA 0333 3233 785