Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Compliance for DPIAs

11 min read

Last reviewed or updated 13/01/2026

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your Data protection impact assessment (DPIA)

Get started

What is a DPIA?

A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Organisations must carry out DPIAs if the personal data processing they want to engage in is likely to result in a high risk to individuals. For more information, read Data protection impact assessments and Data protection.

What are the lawful bases for data processing?

The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) set out certain lawful bases (also known as ‘lawful grounds’) for data processing. This means that organisations will only be able to process personal data if at least one of the following six grounds has been met:

  • consent - the data subject (ie the individual whose data is being processed) has given clear consent for the processing of their personal data for a specific purpose

  • performance of a contract - the processing is necessary for contract performance or to ‘take steps’ at the request of the data subject before entering into a contract

  • necessary for compliance - the processing is required to comply with the law (not including contractual obligations)

  • protection of vital interests - the processing is necessary to protect someone’s life

  • public interest - the processing is necessary for the performance of a task in the public interest or for the organisation’s official functions, and the task or function has a clear basis in law

  • legitimate interest - the processing is necessary for the organisation’s or a third party’s legitimate interests, and there is no good reason to protect the personal data that overrides those legitimate interests. Where this is the case, a Legitimate interest assessment must be carried out

The DPIA should clearly set out which legal grounds for processing apply.

For more information, read Processing personal data.

When can special category personal data be processed?

Special category ‘sensitive’ personal data (often simply referred to as ‘special category’ or ‘sensitive’ personal data) includes information about:

  • racial or ethnic origin

  • political opinions

  • religious or similar beliefs

  • trade union membership

  • physical or mental health

  • sexual life

  • biometrics (eg fingerprint data/facial images), or

  • genetics

Due to the sensitive nature of this data, it is given greater protection than other types of personal data (eg names and addresses). This means that processing special category data is only permitted when one or more of the further conditions for processing special category personal data are met and recorded in a DPIA. 

Most of the further conditions revolve around the processing being necessary. Being ‘necessary’ doesn’t mean the processing must be absolutely essential, but it must be more than useful or habitual. Processing must also be a reasonable and proportionate way of achieving the purpose it’s being carried out for, and the organisation must not use more data than it needs to achieve its purpose. For more information, read the Information Commissioner’s Office’s (ICO’s) guidance on what ‘necessary’ means.

What are the further conditions for processing?

The further conditions for processing are: 

1. Explicit consent

This is where the data subject has explicitly consented to the data processing. Their consent must be freely given, specific, affirmative (ie a clear opt-in), unambiguous, and able to be withdrawn at any time. Generally, for consent to be ‘explicit’, it:

  • must be confirmed in a clear (verbal or written) statement, not by another type of affirmative action

  • must specify the nature of the special category data, and

  • should be separate from any other consent sought by the organisation

Read Consent under GDPR for more information. This condition applies to a wide range of circumstances; however, when relied upon, people must be given a genuine choice over whether and how their data is used.

2. Employment, social security, and social protection

This is where processing is necessary for the organisation to carry out its obligations and exercise specific rights in the fields of employment, social security, and social protection law, insofar as authorised by law. This condition is likely relevant for employers (eg for enabling them to ensure the health and safety of staff). 

Associated conditions

For an organisation to be able to rely on this condition to process special category sensitive data, the following ‘associated condition’ must be met:

  • the processing is necessary for the purposes of performing/exercising obligations or rights which are imposed or conferred by law on the controller (ie the main decision-maker for the purposes of data processing) or the data subject in connection with employment, social security, or social protection. This special condition can only be relied on if organisations can prove that they have a legal obligation or right to process the data. This can be done by referencing a specific legal provision or by pointing to an appropriate source of advice or guidance. For example, organisations may refer to government or industry guidance setting out relevant employment obligations or rights. And 

  • the organisation needs to have an Appropriate policy document (APD) in place. This is a short document outlining the organisation’s compliance measures and data retention policies for special category data

3. Vital interests

The processing is necessary to protect the vital interests of a data subject or another person where the data subject is physically or legally incapable of giving consent. This means that organisations should, where possible, ask for explicit consent. If a data subject refuses to give consent, this condition cannot be used as a fallback condition unless the data subject is physically/legally incapable of giving consent.

This condition generally only applies to matters of life and death and is likely relevant for emergency medical care (eg where personal data needs to be processed for medical purposes, but the individual is unconscious).

4. Not-for-profit bodies

Organisations can only rely on this condition if they:

  • are a not-for-profit body (eg a charity, trade union, church, or other association with a political, philosophical, or religious aim)

  • are processing special category data as part of their legitimate activities. This covers most conduct provided it does not stray outside the purposes and powers set out in the organisation’s constitution or governing documents

  • are only processing the data of members, former members, or other individuals in regular contact with them, ‘in connection with their purposes’ (eg partners, supporters, or beneficiaries). This means that the condition doesn’t apply to employee data or prospective member data

  • have appropriate safeguards in place (eg restricting data access, applying shorter retention periods, or providing individuals with an opt-out), and

  • don’t disclose this data to third parties without the data subject’s explicit consent

5. Made public by the data subject

The processing relates to personal data that has been made public by the person to whom it relates. This condition doesn’t cover all special category data made public - it only covers personal data that individuals themselves make public. Organisations need to be confident that individuals themselves actively chose to make their special category data public and that this was unmistakably a deliberate act on their part (eg blogging about a health condition).

Further, the data must be ‘manifestly made public’. This means that it must realistically be accessible to the public. Organisations should ask themselves whether any hypothetical interested member of the public could access this information (not whether it is theoretically available to the public, such as being mentioned in court).

When relying on this condition, organisations should keep a record of the data source to help demonstrate that it was manifestly made public by the individual.

6. Legal claims or judicial acts

For legal claims, organisations must show that the purpose for processing is to establish, exercise, or defend legal claims. Legal claims are not limited to current legal proceedings, but include processing necessary for:

  • actual or prospective court proceedings

  • accessing legal advice, and/or

  • establishing, exercising, or defending legal rights in any other way

Judicial acts apply where a court or tribunal is acting in its judicial capacity. Courts can apply this condition whether they are processing special category data in their judicial capacity. Where the processing is not part of their judicial capacity, this condition doesn’t apply, and a different condition is required.

7. Substantial public interest

The processing is necessary for reasons of substantial public interest. Being of ‘substantial public interest’ means the relevant public interest needs to be real and of substance. Due to the inherent risks of processing special category personal data, organisations cannot say that the processing is in the public interest for vague or generic reasons. Instead, organisations need to be able to make a specific argument about the concrete wider benefits of the processing. For example, organisations may wish to consider how the processing of sensitive personal data would benefit the public including:

  • the amount of benefit experienced from the processing (even if only experienced by a small number of people), and

  • the number of people who would benefit from the processing

Organisations should focus on demonstrating that their overall processing purpose has substantial public interest benefits. An organisation does not typically need to make a new public interest argument to demonstrate the specific benefits of processing each time it undertakes processing, provided that the overall purpose for processing is of substantial public interest (as initially demonstrated).

Associated conditions

For an organisation to be able to rely on this condition, at least one of the 23 substantial public interest conditions set out in the DPA needs to be met. In most cases, the organisation will also need to have in place an APD. For more information, read Substantial public interest for DPIAs.

8. Health or social care

The processing is necessary for health or social care purposes (eg for the provision of medical diagnoses or the provision of social care, such as social work). 

Associated conditions

For an organisation to be able to rely on this condition, the following ‘associated conditions’ need to be met:

  • the processing is necessary for health or social care purposes, which cover:

    • preventive or occupational medicine

    • the assessment of staff working capacity

    • medical diagnosis

    • the provision of healthcare or treatments

    • the provision of social care (eg social work, personal care, or social support services), or

    • the management of healthcare or social care systems or services

and

  • the processing is carried out by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. This means that the processing must be either carried out:

    • by (or under the responsibility of) a health professional or social work professional (eg a doctor, nurse, dentist, midwife, child psychotherapist, or social worker), or

    • by someone else who owes a duty of confidentiality under the law

For more information, read the ICO’s guidance on processing sensitive personal data for health or social care.

9. Public health

The processing is necessary due to public interest in public health. This condition may be relevant to public vaccination programmes, clinical trials, and public health monitoring.

Associated conditions

For an organisation to be able to rely on this condition, the following ‘associated condition’ must be met:

  • the processing is necessary for reasons of public interest in the area of public health. To demonstrate a ‘public interest’, organisations need to demonstrate that the processing has a benefit for the wider public or society as a whole (rather than for their own interests or the interests of a particular individual). Further, the processing should not enable processing for other purposes by employers, insurers, or banks. The GDPR defines public health as including:

    • health status (eg morbidity and disability)

    • determinants affecting that health status

    • healthcare needs

    • resources allocated to healthcare

    • the provision of and universal access to healthcare

    • healthcare expenditure and financing, and

    • causes of mortality

and

  • the processing is carried out by (or under the responsibility of) a health professional or by another person who, in the circumstances, owes a duty of confidentiality under the law. This means that the processing must either be carried out:

    • by (or under the responsibility of) a health professional (eg doctor, nurse, dentist, midwife, or paramedic), or

    • by someone else who owes a duty of confidentiality under the law

For more information, read the ICO’s guidance on public health and health professionals.

10. Archiving, research, and statistics

The processing is necessary for statistical purposes, archiving purposes, or scientific or historical research purposes, and is in the public interest. This means that not all research is covered by this condition.

Associated conditions

For an organisation to be able to rely on this condition, the following ‘associated condition’ needs to be met:

  • the processing is necessary for archiving, scientific or historical research, or statistical purposes, and is a reasonable and proportionate way of achieving either archiving these purposes without the organisation having more data than needed, and

  • the organisation complies with the safeguards and restrictions set out in Article 89(1) of the GDPR and section 19 of the DPA, ie it must:

    • demonstrate why they cannot use anonymised data

    • consider making it more difficult to link the personal data to a specific individual by using pseudonymisation

    • demonstrate that the processing is unlikely to cause substantial damage or distress to individuals

    • not use the data to take actions or make decisions about the individuals concerned (unless approved medical research is being carried out), and

    • consider implementing other appropriate safeguards and security measures

and

  • the processing is in the public interest. Organisations need to demonstrate that the processing has a benefit for the wider public or society as a whole (rather than for their own interests or the interests of a particular individual) 

 

For more information on the conditions for processing special category personal data, see the ICO’s guidance on the conditions for processing. Ask a lawyer if you have any questions or concerns about DPIAs or processing sensitive personal data.

When can criminal offence data be processed?

 Infographic defining what criminal offence data is 

Criminal offence data is personal data that relates to criminal convictions or offences or related security measures. Any information about criminal offences is treated separately from personal data and special category data and is subject to even tighter controls that need to be recorded in a DPIA. 

To process criminal offence data, organisations must: 

  • have a lawful basis for processing

  • be fair and transparent about the processing, and 

  • comply with the data protection principles and all other requirements of the GDPR

Further, criminal offence data can only be processed under the control of an official authority or where authorised by domestic law (the DPA sets out 28 conditions for processing criminal offence data). Organisations must determine whether they can process criminal offence data before doing so. For more information, read Criminal offence data for DPIAs.

 

If you have any questions about carrying out a DPIA or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 13 January 2026

Related Guides

General Data Protection Regulation (GDPR) FAQs

4 min read

Legitimate interest and LIAs for data protection

14 min read

How to make a business GDPR-compliant checklist

6 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us