Overview
Thedpia command generates Data Protection Impact Assessments (DPIAs) following UK GDPR Article 35 requirements and ICO guidance. A DPIA is a legal requirement for processing that is likely to result in a high risk to individuals’ rights and freedoms. It systematically assesses privacy risks, evaluates necessity and proportionality, and identifies mitigations.
Command Syntax
When is a DPIA Required?
ICO 9-Criteria Screening
The command automatically scores the ICO 9 criteria based on your data model:| # | Criterion | Description | Example |
|---|---|---|---|
| 1 | Evaluation or scoring | Profiling, credit scoring, risk assessment | AI-powered credit scoring, employee performance rating |
| 2 | Automated decision-making | Decisions with legal/significant effect | Automated loan rejection, algorithmic recruitment |
| 3 | Systematic monitoring | Continuous tracking, surveillance | CCTV, location tracking, web analytics |
| 4 | Sensitive data | Special category data (Article 9) | Health records, biometric data, ethnicity |
| 5 | Large scale | >5000 data subjects or national scope | NHS patient database, national census |
| 6 | Matching datasets | Combining data from multiple sources | Linking NHS + social care + police records |
| 7 | Vulnerable subjects | Children, elderly, disabled, patients | School pupil tracking, elderly care monitoring |
| 8 | Innovative technology | New/emerging tech | AI, blockchain, facial recognition |
| 9 | Prevents rights exercise | No mechanism for SAR/deletion/portability | Legacy system with no data export feature |
- 2+ criteria met: DPIA REQUIRED (UK GDPR Article 35)
- 1 criterion met: DPIA RECOMMENDED (good practice)
- 0 criteria met: DPIA NOT REQUIRED (but consider Data Privacy Notice)
Prerequisites
Mandatory
- Data Model (DATA): Must identify all entities with PII/special category data
- Command:
arckit data-model <project> - The tool will STOP and warn if missing
- Why: A DPIA requires a data model to identify personal data processing
- Command:
Recommended
- Architecture Principles (PRIN): Privacy by Design principles, data minimization
- Requirements (REQ): Data requirements (DR-xxx), security (NFR-SEC), compliance (NFR-C)
- Stakeholder Analysis (STKE): Data subject categories, vulnerable groups, RACI (Data Controller, DPO)
Optional
- Risk Register (RISK): Extract existing data protection risks
- Secure by Design (SECD): Extract security controls as DPIA mitigations
Workflow
1. Create Data Model First
2. Generate DPIA
- Screen: Run ICO 9-criteria screening
- Assess: Identify risks to individuals (confidentiality, integrity, availability)
- Mitigate: Propose technical, organizational, procedural controls
- Document: Generate full DPIA document
3. Review Output
The command creates:- File:
projects/001-nhs-appointment-booking/ARC-001-DPIA-v1.0.md - Classification: OFFICIAL-SENSITIVE (contains privacy risk analysis)
- Summary: Shows screening score, risks identified, ICO consultation requirement
4. Next Steps (Handoffs)
Risk Register
Add DPIA risks to project risk register
Secure by Design
Extract security controls as DPIA mitigations
AI Playbook
If AI/ML: Integrate algorithmic bias assessment
ICO Consultation
If residual high risks: Contact ICO before processing
DPIA Risk Assessment
Risk Categories
DPIA risks focus on impact on individuals (not organizational risks): Confidentiality Risks:- Data breach (unauthorized access, exfiltration)
- Insider threat (employees accessing data inappropriately)
- Third-party processor breach (cloud provider, SaaS vendor)
- Data corruption (inaccurate profiling, incorrect medical records)
- Unauthorized modification (tampering with transaction history)
- Data quality issues (incomplete records affecting decisions)
- Inability to access data (SAR requests fail)
- Inability to port data (no export mechanism)
- Inability to delete data (no erasure mechanism)
Risk Scoring Matrix
Likelihood:- Remote: Unlikely to occur (e.g., nation-state attack)
- Possible: Could occur under certain circumstances (e.g., phishing attack)
- Probable: Likely to occur (e.g., insider threat without access controls)
- Minimal: Minor inconvenience (e.g., spam emails)
- Significant: Distress, financial loss (e.g., identity theft, discrimination)
- Severe: Physical harm, serious psychological distress (e.g., medical misdiagnosis, stalking)
- Low (🟢): Remote + Minimal, Possible + Minimal
- Medium (🟠): Remote + Significant, Possible + Significant, Probable + Minimal
- High (🔴): Remote + Severe, Possible + Severe, Probable + Significant/Severe
ICO Prior Consultation
GDPR Compliance Sections
Necessity and Proportionality
Necessity Test: For each processing purpose, justify why it’s necessary. Example:Purpose: Process health data to recommend treatment options. Necessity: Treatment recommendations require analyzing patient medical history (diagnoses, medications, allergies). This is necessary for safe, effective care. Proportionality: We collect only medical history directly relevant to current symptoms. We do NOT collect unrelated data (e.g., employment history, political views).Legal Basis (Article 6):
- Consent: User explicitly consents (e.g., marketing emails)
- Contract: Necessary for contract performance (e.g., payment processing)
- Legal Obligation: Required by law (e.g., tax records retention)
- Vital Interests: Necessary to protect life (e.g., emergency medical treatment)
- Public Task: Necessary for public interest (e.g., NHS patient care)
- Legitimate Interest: Necessary for legitimate interests (e.g., fraud detection)
- Explicit Consent: User gives explicit consent (not just opt-in checkbox)
- Employment: Necessary for employment rights/obligations
- Vital Interests: Necessary to protect life (unconscious patient)
- Medical Purposes: Necessary for healthcare (diagnosis, treatment)
- Public Interest: Necessary for public health (epidemics, disease surveillance)
Data Subject Rights
Children’s Data (Article 8)
If processing children’s data (under 18 in UK):International Transfers
If transferring data outside UK: Adequate Countries (no additional safeguards needed):- EU/EEA countries (adequacy decision)
- Countries with ICO adequacy decisions (e.g., Israel, New Zealand)
- Standard Contractual Clauses (SCCs): EU Commission-approved contracts
- Binding Corporate Rules (BCRs): Internal group data transfer rules
- Certification Schemes: e.g., EU-US Data Privacy Framework (if applicable)
- Avoid transfers to countries with mass surveillance laws (e.g., China, Russia) unless essential and with strong encryption
Document Structure
The generated DPIA includes:Real-World Example
NHS Appointment Booking - DPIA Summary
NHS Appointment Booking - DPIA Summary
Project: NHS Appointment Booking System (Project 003)ICO Screening: 3/9 criteria met → DPIA REQUIRED
- ✅ Criterion 4: Sensitive data (Health records, NHS numbers)
- ✅ Criterion 5: Large scale (>500,000 patients nationally)
- ✅ Criterion 7: Vulnerable subjects (Elderly patients, disabled patients)
- Data Subjects: NHS patients (all ages, including children and elderly)
- Personal Data: 5 entities with PII (Patient, Appointment, MedicalHistory)
- Special Category Data: YES (Health data - diagnoses, medications, allergies)
- Legal Basis: Public Task (Article 6(1)(e)) - NHS statutory duty to provide care
- Article 9 Condition: Medical Purposes (Article 9(2)(h)) - healthcare provision
- Retention Period: 8 years after last interaction (NHS records retention policy)
- Total Risks: 8 identified
- 🔴 High: 2 (unauthorized access to health records, data breach affecting vulnerable patients)
- 🟠 Medium: 4 (data quality issues, inability to delete records, third-party breach)
- 🟢 Low: 2 (minor availability issues, email delivery failures)
- DPIA-001: Unauthorized access to patient health records (🔴 HIGH)
- Likelihood: Possible (phishing, insider threat)
- Severity: Severe (medical confidentiality breach, discrimination, psychological harm)
- Mitigations: Role-based access control, audit logging, MFA for staff, data encryption (AES-256)
- Residual Risk: 🟠 MEDIUM
- DPIA-002: Data breach affecting vulnerable elderly patients (🔴 HIGH)
- Likelihood: Possible (targeted attack on elderly demographic)
- Severity: Severe (elderly more susceptible to fraud, identity theft)
- Mitigations: Enhanced security for vulnerable patient records, breach notification within 72 hours, ICO reporting
- Residual Risk: 🟠 MEDIUM
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access control (RBAC) with least privilege
- Multi-factor authentication (MFA) for all staff
- Audit logging (all access to patient records)
- Data minimization (only collect necessary health data)
- Pseudonymization for analytics (anonymize NHS numbers)
- Breach notification process (72-hour ICO reporting)
- Staff training (GDPR, data protection, phishing awareness)
- ✅ Implemented: SAR (export patient data), rectification (update records), portability (JSON export)
- ❌ Not Implemented: Erasure (NHS retention policy prevents deletion before 8 years)
- Mitigation: Document legal basis for retention (NHS statutory duty, medical records retention)
- Obtain Data Controller signature (NHS Trust Chief Executive)
- Obtain DPO signature (NHS Trust Data Protection Officer)
- Implement recommended mitigations (encryption, RBAC, MFA)
- Establish 12-month review cycle
- Train staff on GDPR and data protection
- Implement breach notification process
Tips & Best Practices
Review RegularlyDPIAs must be reviewed:
- Every 12 months (recommended)
- When new processing activities are added
- When data protection risks change
- When ICO guidance is updated
- After a data breach occurs
Quality Checks
Before generating the document, ArcKit validates:Related Commands
Data Model
Prerequisite: Run before DPIA to identify PII
Requirements
Input: Extract DR-xxx, NFR-SEC, compliance requirements
Risk Register
Integration: Add DPIA risks to risk register
Secure by Design
Integration: Extract security controls as mitigations
AI Playbook
Integration: Algorithmic bias assessment for AI/ML
Stakeholders
Input: Data subject categories, vulnerable groups