Data Protection Impact Assessment (DPIA) Policy for Rhics Ltd



Rhics Ltd recognises the importance of protecting personal data and ensuring privacy rights are respected. The Data Protection Impact Assessment (DPIA) is a critical tool in identifying and minimising the data protection risks of projects and processes involving personal data. This policy outlines the procedures for conducting DPIAs, including when they are required, the roles and responsibilities involved, and the review period for DPIAs.

Policy Objective

To ensure Rhics Ltd complies with data protection laws, including the GDPR, and to integrate data protection by design and by default into our processing activities. This policy aims to establish clear guidelines for conducting DPIAs, thereby safeguarding personal data and privacy rights of individuals.


This policy applies to all departments and operations within Rhics Ltd that involve the processing of personal data, particularly where new technologies are being deployed or where processing might pose a high risk to the rights and freedoms of individuals.

When is a DPIA Required?

A DPIA is required at Rhics Ltd under the following circumstances:

  • New Projects: For any new project or system that involves the processing of personal data.
  • Significant Changes: When changes to an existing processing activity could impact privacy risks, including changes to data handling processes, systems, or technologies.
  • High-Risk Processing: For processes that include systematic monitoring, sensitive data processing, or large-scale processing of personal data.

Roles and Responsibilities

  • Data Protection Officer (DPO): Oversees the DPIA process, ensures compliance with this policy, and serves as a point of contact for data protection queries.
  • Project Managers: Responsible for initiating the DPIA for projects under their management.
  • IT Department: Provides technical expertise and assists in assessing data processing operations and identifying mitigation measures.
  • Legal Department: Advises on compliance issues and helps assess the legality of the processing activities.
  • Data Processors and Third Parties: Cooperate in providing necessary information for DPIA completion when they are involved in processing activities.

DPIA Process

  1. Identify the Need for DPIA: The project manager, in consultation with the DPO, determines whether a DPIA is necessary.
  2. Conduct the DPIA: The DPIA should describe the data processing, assess necessity and proportionality, and help identify and mitigate risks.
    • Describe processing operations: What type of data is processed, for what purpose, and what are the benefits?
    • Assess necessity and proportionality: Is the processing necessary for and proportionate to the purpose?
    • Identify risks: What are the potential impacts on individuals?
    • Mitigate risks: What measures can be implemented to mitigate these risks?
  3. Consultation: Consult internally and with the DPO. If high risks are identified that cannot be mitigated, consult the relevant regulatory authority.
  4. Implement Measures: Implement the identified privacy-enhancing measures and integrate them into the project plan.
  5. Record Outcomes: Document the DPIA outcomes and keep this documentation accessible.

Review and Update

  • Review Period: DPIAs at Rhics Ltd must be reviewed at least every two years or whenever there is a significant change to the processing activity that may affect the nature, scope, context, or purposes of the processing.
  • Updates: The DPIA policy itself will be reviewed annually to ensure compliance with evolving data protection regulations and standards.


The DPIA policy is an essential component of Rhics Ltd’s commitment to data protection compliance and best practices. By adhering to this policy, we ensure that all data processing activities are conducted responsibly, transparently, and in accordance with legal requirements and best practices.


This policy has been approved by the board of directors of Rhics Ltd and is effective immediately. It is mandatory for all staff and relevant third parties involved in the processing of personal data under the scope of Rhics Ltd’s operations.