[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWnUM1CKexQ5O6FbqsgxIzOoHWmGdUWX1G-Dxtff9I58":3},{"sections":4,"resultAnalysis":155,"id":202,"version":203,"newVersion":22,"label":8,"isPinned":22,"isShared":22,"sharingToken":9,"isRevision":22,"isBlockAnalysisShared":34,"nbReferences":28,"referenceId":9,"nbResponses":11,"parentId":9,"revisionDescription":9,"logoUrl":204,"description":205,"scheduleIntervalDays":9,"versionNumber":28,"dateCreation":206,"dateUpdate":207,"dateArchived":9,"archived":22,"type":208,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":209,"creator":210,"objectType":218,"objectTypeIndex":173,"objectTypeColor":219,"objectTypeIcon":220,"objectTypeText":221,"defaultOwners":222,"tags":224,"privacyHubs":9,"nbQuestions":200,"nbQuestionsRequired":11,"nbDatas":11,"deadLineDays":9},[5],{"id":6,"slug":7,"label":8,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":13,"questions":14,"sections":154},"fc17aa75-5748-4786-a0f4-66fbbde499ef","initial","ICO DPIA screening checklist",null,"Default",0,"SectionType_Default","\u003Cp>This checklist helps assess whether a planned or existing personal data processing activity requires a Data Protection Impact Assessment (DPIA) under the UK GDPR. Each checked item indicates a potential risk factor, with the total score guiding whether a DPIA is mandatory, recommended, or unnecessary. More information on: \u003Ca href=\"https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/\">https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/\u003C/a>\u003Cbr>\u003Cbr>This checklist is provided for general guidance only and does not constitute legal advice. Completing it does not replace a full risk assessment or professional legal consultation. Organisations remain responsible for ensuring compliance with the UK GDPR and for seeking expert advice where necessary.\u003C/p>",[15,35,76,130,142],{"id":16,"slug":17,"label":18,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":23,"displayConditions":9,"answers":24,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":34,"native":22},"4dfb9302-d373-4be6-aee0-c03db74e0859","5ee53882-6e59-4c69-8c9b-268c3e1fa11e"," We consider carrying out a DPIA in any major project involving the use of personal data.","Radio",7,"Lista de casillas de verificación (una sola respuesta)",false,[],[25,30],{"id":26,"color":9,"rangeValue":9,"label":27,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":29},"0f28d041-a019-4329-864d-6589b4d51f30","Yes",1,[],{"id":31,"color":9,"rangeValue":9,"label":32,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":33},"30d8753f-28f1-4639-87ff-70c5cd616c1a","No",[],true,{"id":36,"slug":37,"label":38,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":39,"typeIndex":40,"typeColor":9,"typeIcon":9,"typeText":41,"dynamicSelectType":9,"editableOptions":22,"complianceRules":42,"displayConditions":9,"answers":43,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":34,"native":22},"886bcbd8-bc22-41ec-991e-671244e9edbf","885f442a-d705-4c5d-839b-b6d6dac3cf02","We consider whether to do a DPIA if we plan to carry out any other:","Checkbox",8,"Lista de casillas de verificación (puede haber varias respuestas)",[],[44,48,52,56,60,64,68,72],{"id":45,"color":9,"rangeValue":9,"label":46,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":47},"5a882b83-5a29-4036-b3b9-2df295aadd38","evaluation or scoring;",[],{"id":49,"color":9,"rangeValue":9,"label":50,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":51},"eb5eaa82-d0ef-4876-b306-20b2ac4a0e3d","automated decision-making with significant effects;",[],{"id":53,"color":9,"rangeValue":9,"label":54,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":55},"9b57ca3b-be1a-4941-a4dd-03130f2efcd9","systematic monitoring;",[],{"id":57,"color":9,"rangeValue":9,"label":58,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":59},"66d18ffa-4b6c-4053-a078-80d7b0a4c1c9","processing of sensitive data or data of a highly personal nature;",[],{"id":61,"color":9,"rangeValue":9,"label":62,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":63},"7ad2c076-dc97-4dbc-89c0-e8d495bbf97c","processing on a large scale;",[],{"id":65,"color":9,"rangeValue":9,"label":66,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":67},"0a162f58-97c0-4f97-a343-516599040429","processing of data concerning vulnerable data subjects;",[],{"id":69,"color":9,"rangeValue":9,"label":70,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":71},"b41dcc42-0c8f-4cb8-be54-211989cfc24a","innovative technological or organisational solutions;",[],{"id":73,"color":9,"rangeValue":9,"label":74,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":75},"ac0bdcbe-5d00-4ced-ae5b-6ac94668025b","processing that involves preventing data subjects from exercising a right or using a service or contract.",[],{"id":77,"slug":78,"label":79,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":39,"typeIndex":40,"typeColor":9,"typeIcon":9,"typeText":41,"dynamicSelectType":9,"editableOptions":22,"complianceRules":80,"displayConditions":9,"answers":81,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":34,"native":22},"d671c3dc-bbd2-4cb7-b562-472d304842bb","e2d4879a-064e-4715-a849-f4993e3f63bd"," We always carry out a DPIA if we plan to:",[],[82,86,90,94,98,102,106,110,114,118,122,126],{"id":83,"color":9,"rangeValue":9,"label":84,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":85},"5c3c1ee4-23f5-4f79-b9d1-92b85bccc825","use systematic and extensive profiling or automated decision-making to make significant decisions about people;",[],{"id":87,"color":9,"rangeValue":9,"label":88,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":89},"cb5f39f4-7bf7-46ce-8635-4552f5dd3ee6","process special-category data or criminal-offence data on a large scale;",[],{"id":91,"color":9,"rangeValue":9,"label":92,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":93},"1e7c0e9c-c16e-4aa8-a7ac-04de211988be","systematically monitor a publicly accessible place on a large scale;",[],{"id":95,"color":9,"rangeValue":9,"label":96,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":97},"62a01ed5-d666-4ec3-9574-2f5c9d9d695e","use innovative technology in combination with any of the criteria in the European guidelines;",[],{"id":99,"color":9,"rangeValue":9,"label":100,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":101},"ffb21ae2-dc94-4f82-a2d6-afe0a5b80f53","use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;",[],{"id":103,"color":9,"rangeValue":9,"label":104,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":105},"854bc335-fbf2-45d4-bb2b-aff3ff179e95","carry out profiling on a large scale;",[],{"id":107,"color":9,"rangeValue":9,"label":108,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":109},"6e2ac32f-21d3-4cb5-822f-82b6d998dd9c","process biometric or genetic data in combination with any of the criteria in the European guidelines;",[],{"id":111,"color":9,"rangeValue":9,"label":112,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":113},"0e667e1d-5a05-4e08-b443-3fd41c8c1113","combine, compare or match data from multiple sources;",[],{"id":115,"color":9,"rangeValue":9,"label":116,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":117},"ead075d9-71e0-4388-bb4f-b67c6cdd2a23","process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;",[],{"id":119,"color":9,"rangeValue":9,"label":120,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":121},"d855fe46-f507-486d-a08f-962f53092ceb","process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines;",[],{"id":123,"color":9,"rangeValue":9,"label":124,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":125},"e8ff9809-d1ac-441a-b134-a190c64523a0","process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;",[],{"id":127,"color":9,"rangeValue":9,"label":128,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":129},"2cca110c-281b-4a52-a616-bbb3d81aaec8","process personal data that could result in a risk of physical harm in the event of a security breach.",[],{"id":131,"slug":132,"label":133,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":134,"displayConditions":9,"answers":135,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":34,"native":22},"b038ff1f-4018-4948-afcd-7e2f443b30fd","54ca4afa-d125-4b9d-a261-3dadc6d2d710","We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.",[],[136,139],{"id":137,"color":9,"rangeValue":9,"label":27,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":138},"6acf9ae6-5b24-48f3-8dda-20737b1d0707",[],{"id":140,"color":9,"rangeValue":9,"label":32,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":141},"fc0d6786-ebdf-4e25-8cb6-4a1b92826e9a",[],{"id":143,"slug":144,"label":145,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":146,"displayConditions":9,"answers":147,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":34,"native":22},"d4ba351a-732d-4ea1-9aba-a252bb158375","0613786f-a0ee-481e-bb59-5bf95880d2b0","If we decide not to carry out a DPIA, we document our reasons.",[],[148,151],{"id":149,"color":9,"rangeValue":9,"label":27,"slug":9,"description":9,"score":28,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":150},"348dd145-0de0-4d6b-8a26-77b6df5cf0f4",[],{"id":152,"color":9,"rangeValue":9,"label":32,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":153},"e6d17834-ec23-402f-b000-3dfe15e01596",[],[],[156,175,191],{"id":157,"label":158,"variant":159,"variantIndex":11,"variantColor":160,"variantIcon":161,"variantText":162,"contentHtml":163,"displayConditions":164},"e190ca5f-75b5-4e04-879f-cb117a0761da","DPIA generally not required","Info","#1E8EE1","icon-alert-circle","Información","\u003Cul>\u003Cli>\u003Cp>Processing is low risk and does not meet high-risk indicators.\u003C/p>\u003C/li>\u003Cli>\u003Cp>You should still \u003Cstrong>document the assessment\u003C/strong> and reasons for not doing a DPIA\u003C/p>\u003C/li>\u003C/ul>\u003Cp>Please note tha  high-risk override rules apply: A DPIA is \u003Cstrong>mandatory\u003C/strong> regardless of score if \u003Cstrong>any\u003C/strong> of these are ticked:\u003C/p>\u003Cul>\u003Cli>\u003Cp>Systematic and extensive profiling/automated decision-making with significant effects.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale processing of special category or criminal offence data.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale systematic monitoring of a publicly accessible place.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Processing that could cause physical harm in the event of a breach.\u003C/p>\u003C/li>\u003C/ul>",{"id":165,"separator":166,"field":9,"operator":167,"value":9,"rules":168},"d2feea9b-9f76-4711-9718-b92f1bafc2f1","And","equal",[169],{"id":170,"separator":9,"field":171,"operator":172,"value":173,"rules":174},"53e0b792-bcc3-4539-bd23-9d671498fc22","score","lessThanInclusive",2,[],{"id":176,"label":177,"variant":159,"variantIndex":11,"variantColor":160,"variantIcon":161,"variantText":162,"contentHtml":178,"displayConditions":179},"a3f74d66-be4b-4cc7-ac02-b52eee77e4cf","Consider doing a DPIA","\u003Cul>\u003Cli>\u003Cp>Risk profile is moderate.\u003C/p>\u003C/li>\u003Cli>\u003Cp>DPIA may not be legally required, but ICO recommends conducting one if there is any doubt.\u003C/p>\u003C/li>\u003Cli>\u003Cp>You should carry out a DPIA if any \u003Cem>high-risk processing\u003C/em> element (e.g., large-scale special category data, systematic monitoring, vulnerable data subjects) is involved.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>Please note that a DPIA is \u003Cstrong>mandatory\u003C/strong> regardless of score if \u003Cstrong>any\u003C/strong> of these are ticked:\u003C/p>\u003Cul>\u003Cli>\u003Cp>Systematic and extensive profiling/automated decision-making with significant effects.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale processing of special category or criminal offence data.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale systematic monitoring of a publicly accessible place.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Processing that could cause physical harm in the event of a breach.\u003C/p>\u003C/li>\u003C/ul>",{"id":180,"separator":166,"field":9,"operator":167,"value":9,"rules":181},"ee8c4b20-157a-495d-93fd-986a7a2de8b7",[182,187],{"id":183,"separator":9,"field":171,"operator":184,"value":185,"rules":186},"55f04f7a-f7d1-4ca6-ad67-f0c93f50e98d","greaterThanInclusive",3,[],{"id":188,"separator":9,"field":171,"operator":172,"value":189,"rules":190},"7e756485-4ae2-4d67-994b-8c7af87c7024",4,[],{"id":192,"label":193,"variant":159,"variantIndex":11,"variantColor":160,"variantIcon":161,"variantText":162,"contentHtml":194,"displayConditions":195},"96acff08-e131-4ff3-bd04-37cce028c1c0"," DPIA required","\u003Cul>\u003Cli>\u003Cp>High likelihood the processing meets the UK GDPR Art. 35(3) “likely high risk” threshold.\u003C/p>\u003C/li>\u003Cli>\u003Cp>ICO expectation is to carry out a DPIA before proceeding.\u003C/p>\u003C/li>\u003Cli>\u003Cp>If the DPIA identifies residual high risk that cannot be mitigated, you must consult the ICO before processing.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>A DPIA is \u003Cstrong>mandatory\u003C/strong> regardless of score if \u003Cstrong>any\u003C/strong> of these are ticked:\u003C/p>\u003Cul>\u003Cli>\u003Cp>Systematic and extensive profiling/automated decision-making with significant effects.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale processing of special category or criminal offence data.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Large-scale systematic monitoring of a publicly accessible place.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Processing that could cause physical harm in the event of a breach.\u003C/p>\u003C/li>\u003C/ul>",{"id":196,"separator":166,"field":9,"operator":167,"value":9,"rules":197},"391f0773-a24b-4ff2-a490-429a81943b5b",[198],{"id":199,"separator":9,"field":171,"operator":184,"value":200,"rules":201},"7740d802-1c17-451a-8282-a5cab070b432",5,[],"1b153311-405a-4bf5-fa3f-08ddd8172e55","1.0","https://static.dastra.eu/tenant-3/audit/7pxqIyllQSS4o6/icon-audit500x-150-150.png","This checklist helps assess whether a planned or existing personal data processing activity requires a Data Protection Impact Assessment (DPIA) under the UK GDPR. Each checked item indicates a potential risk factor, with the total score guiding whether a DPIA is mandatory, recommended, or unnecessary. More information on: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/","2025-08-10T14:07:02.9699689","2025-12-01T14:31:54.1519992","Standard","Auditoría estándar",{"id":211,"displayName":212,"familyName":213,"givenName":214,"email":215,"active":34,"color":216,"avatarUrl":217,"tenantId":11},38,"Paul-Emmanuel Bidault","Bidault","Paul-Emmanuel","paulemmanuel.bidault@dastra.eu","#FA4115","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","DataProcessing","#E7630A","ds-icon-data-processing","Procesamiento de datos",[223],{"id":211,"displayName":212,"familyName":213,"givenName":214,"email":215,"active":34,"color":216,"avatarUrl":217,"tenantId":11},[225,234],{"id":226,"label":227,"type":228,"typeIndex":229,"typeColor":230,"typeIcon":231,"typeText":232,"color":233},"ec674609-8b1a-4145-a815-7e0c2a6573ff","ICO","AuditTemplate",9,"#83d162","ds-icon-audit","Modelo de auditoría","#0CB8AE",{"id":235,"label":236,"type":228,"typeIndex":229,"typeColor":230,"typeIcon":231,"typeText":232,"color":237},"ff1dbf03-7561-4b63-996b-e899af94bb9a","PIA","#C75FFC"]