Category: Compliance & AML · Reviewed by Amy Price, Account Executive · Last reviewed June 2026
A structured analysis required by UK GDPR before commencing processing likely to result in high risk to the rights and freedoms of data subjects — covering necessity, proportionality, risk identification, and mitigation.
A Data Protection Impact Assessment (DPIA) is a documented process to identify and minimise the data protection risks of a project, system or processing activity. It is required where processing is likely to result in a high risk to the rights and freedoms of data subjects, and is a key accountability tool under UK GDPR Article 35.
UK GDPR, Article 35 (Data Protection Impact Assessment) and Article 36 (prior consultation with the ICO where the DPIA indicates a residual high risk).
A DPIA must cover: a systematic description of the envisaged processing operations and the purposes; an assessment of necessity and proportionality; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks. The ICO has published a list of processing operations for which a DPIA is mandatory (including innovative technology, large-scale special category data processing, large-scale profiling, and combinations of data sets). The DPO (where appointed) advises and the controller approves.
For new digital underwriting tools that use machine learning, profiling or innovative biometric or behavioural analytics, a DPIA is typically required. For routine policy administration using established systems, a DPIA may be unnecessary or already covered by a programme-level DPIA. Where the DPIA indicates residual high risk that cannot be mitigated, Article 36 requires prior consultation with the ICO before commencing the processing.
Apex would conduct a DPIA before deploying any new automated risk-scoring tool that uses behavioural or social media data to support underwriting decisions. The DPIA would document the necessity, the alternative options considered, the safeguards (transparency, human review, accuracy checks), the residual risk, and the approval.
UK GDPR, Articles 35 and 36. ICO guidance on Data Protection Impact Assessments.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote