Examples of processing ‘likely to result in high risk’

The following list details processing operations for which the ICO requires you to complete a DPIA as they are ‘likely to result in high risk’. It is based on guidelines adopted by the European Data Protection Board (EDPB) on DPIAs (WP248rev01). Our list therefore complements and further specifies these guidelines.

For illustration, we have also included examples of existing areas of application. These should not be taken as definitive or exhaustive. In any event, this list does not affect your overriding obligation in Article 35(1), which is to assess any proposed processing operation against the requirement to complete DPIAs. The ICO also considers it best practice to do a DPIA, whether or not the processing is likely to result in a high risk.

Processing involving the use of new technologies, or the novel application of existing technologies (including AI).

A DPIA is required for any intended processing operation(s) involving innovative use of technologies (or applying new technological and/or organisational solutions) when combined with any other criterion from WP248rev01.

• Artificial intelligence, machine learning and deep learning
• Connected and autonomous vehicles
• Intelligent transport systems
• Smart technologies
  (including wearables)
• Market research involving neuro-measurement (i.e. emotional response analysis and brain activity)
• Some IoT applications, depending on the specific circumstances of the processing

• Credit checks
• Mortgage or insurance applications
• Other pre-check processes related to contracts (i.e. smartphones)

• Data processed by Smart Meters or IoT applications
• Hardware/software offering fitness/lifestyle monitoring
• Social-media networks
• Application of AI to existing process

Any processing of biometric data for the purpose of uniquely identifying an individual.

A DPIA is required for any intended processing operation(s) involving biometric data for the purpose of uniquely identifying an individual, when combined with any other criterion from WP248rev01

• Facial recognition systems
• Workplace access systems/identity verification
• Access control/identity verification for hardware/applications (including voice recognition/fingerprint/facial recognition)

Any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject.

A DPIA is required for any intended processing operation(s) involving genetic data when combined with any other criterion from WP248rev01

• Medical diagnosis
• DNA testing
• Medical research

• Fraud prevention
• Direct marketing
• Monitoring personal use/uptake of statutory services or benefits
• Federated identity assurance services

Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14.5(b).

A DPIA is required for any intended processing operation(s) involving where the controller is relying on Article 14.5(b) when combined with any other criterion from WP248rev01

• List brokering
• Direct marketing
• Online tracking by third parties
• Online advertising
• Data aggregation/data aggregation platforms
• Re-use of publicly available data

Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.

A DPIA is required for any intended processing operation involving geolocation data when combined with any other criterion from WP248rev01

• Social networks, software applications
• Hardware/software offering fitness/lifestyle/health monitoring
• IoT devices, applications and platforms
• Online advertising
• Web and cross-device tracking
• Data aggregation / data aggregation platforms
• Eye tracking
• Data processing at the workplace
• Data processing in the context of home and remote working
• Processing location data of employees
• Loyalty schemes
• Tracing services (tele-matching, tele-appending)
• Wealth profiling – identification of high net-worth individuals for the purposes of direct marketing

• Connected toys
• Social networks

• Whistleblowing/complaint procedures
• Social care records

• Share this page
• Print this page
• RSS feeds