Data protection impact assessments (DPIAs) are tools which assist organisations in identifying the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. They can be an integral part of taking a privacy by design approach.

The new General Data Protection Regulation (GDPR) sets out the circumstances in which a DPIA must be carried out.

An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

The Information Commissioner's Office (ICO), which is the UK regulator for Data Protection legislation, encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:

building new IT systems for storing or accessing personal data;
developing legislation, policy or strategies that have privacy implications;
embarking on a data sharing initiative; or
using data for new purposes.

Class Three: What our priorities are and how we are doing

Annual report

Annual business plan, including commissioning

Targets, aims and objectives

Strategic direction document (3 year plan)

Performance against targets/ key performance indicators (KPI)/ performance management information

Quality and safety reports

Structured assessment and standards for healthcare service in Wales Annual quality statement

Caldicott Principles in Practice (C-PIP)

Caldicott assessments and improvement plan

Audit reports

Service user surveys

Privacy impact assessments

Structured assessment and standards for healthcare service in Wales
Annual quality statement