Font size






Welcome to the Information Commissioner’s Data Protection Impact Assessments (“DPIAs”) page.

It is important to note that DPIAs are not a new concept, as these were recognised procedures that organisations used to comply with under the EU Data Protection Directive 95/46/EC and the EU General Data Protection Regulation 2016/679 (“EU GDPR”), prior to the introduction of the Gibraltar General Data Protection Regulation (“Gibraltar GDPR”) on 1st January 2021.

Conducting a DPIA is however mandatory under the Gibraltar GDPR for all data processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1) of the Gibraltar GDPR).

Although undertaking a DPIA is not always compulsory, organisations may find it useful to conduct one as the procedure is designed to help identify and minimise the privacy risks of new projects or policies. Therefore, a DPIA is an important tool for accountability that will help organisations comply with the Gibraltar GDPR and/or the Data Protection Act 2004 requirements, including the requirement for organisations to demonstrate that appropriate measures have been implemented to ensure compliance with data protection laws.

The controller shall consult the Information Commissioner prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

For further information and resources, please see the Information Commissioner’s Guidance Notes page, and in particular the subsection titled “GDPR (4) Data Protection Impact Assessment”, available here:

GDPR (4) Data Protection Impact Assessments (DPIAs)

Please note that on 1st January 2021, the EU GDPR was superseded by the Gibraltar GDPR. However, the legislation remains largely the same, and therefore, the general principles relating to the EU GDPR as may be referenced within the resources provided on the Guidance Notes page (linked above), continue to apply to the current regime.