# UK GDPR & DPIA (Data Protection) > Conduct and validate Data Protection Impact Assessments (DPIAs) under the UK GDPR and ICO guidance for high-risk processing. Suggests technical and organisational safeguards aligned with UK Adequacy standards. Validates breach-notification policies against the 72-hour ICO reporting window. Tags: UK GDPR, DPIA, ICO, Data Protection, Privacy, Compliance, Breach Notification, Technology ## Example Prompts - Conduct a DPIA for our new customer profiling system that uses automated decision-making - Validate our breach-notification policy against the 72-hour ICO reporting requirement - Assess safeguards for international data transfers to non-adequate countries under UK GDPR URL: https://rakenne.app/skills/uk-gdpr-dpia/index.md Try this skill: https://rakenne.app/a/?skill=uk-gdpr-dpia ## Overview Conduct and validate Data Protection Impact Assessments (DPIAs) under the UK GDPR and ICO guidance for high-risk processing in technology and data-driven businesses. The skill walks you through the full DPIA lifecycle — from screening and scoping through risk assessment to sign-off — and suggests technical and organisational safeguards aligned with UK Adequacy standards for international transfers. It also validates internal breach-notification policies against the 72-hour ICO reporting window (Art. 33/34). ## Tools - **dpia_risk_mitigator** — Analyses a DPIA document for required sections (processing description, necessity and proportionality, risk assessment, mitigation measures), detects risk categories mentioned in the text (confidentiality, international transfers, profiling, sensitive data, vulnerable data subjects, and more), and recommends UK-GDPR-aligned safeguards for each category — including IDTA, UK Addendum to EU SCCs, and Transfer Impact Assessment guidance for international transfers. Also flags unfilled placeholders. - **breach_notification_logic** — Validates an internal breach-notification policy against UK GDPR Art. 33 and Art. 34. Checks for: 72-hour ICO notification window, risk-to-rights assessment, required notification content, communication to data subjects for high-risk breaches, breach register (Art. 33(5)), processor-to-controller obligations, and roles and responsibilities. ## Getting Started Add your draft DPIA or breach-notification policy (Markdown or text) to the project workspace, then activate the *UK GDPR & DPIA (Data Protection)* skill. The agent will guide you through the DPIA workflow step by step, using the ICO-aligned template and validation tools. --- ## Example conversation Session where a user conducts a DPIA for a new customer analytics platform that involves profiling and international data transfers. > **You:** We're launching a customer analytics platform that profiles users to personalise product recommendations. Some data will be transferred to a processor in the US. I need a DPIA. > > **Agent:** I'll start by screening for DPIA requirements. Your processing involves profiling (criterion 1), automated decision-making with potential significant effect (criterion 2), and large-scale processing (criterion 5) — that's three ICO triggers, so a DPIA is mandatory. > > I've created a DPIA from the template at `docs/dpia-analytics-platform.md`. I've pre-filled the processing description based on what you've told me. Let me walk through the remaining sections. > > **Agent:** I've completed sections 1–4 of the DPIA. Now I'll run the risk mitigator to check for gaps and get safeguard recommendations. > > Running `dpia_risk_mitigator` on `docs/dpia-analytics-platform.md`: > > - **Sections:** 4/4 present (processing description, necessity, risk assessment, mitigation). > - **Risk categories detected:** Confidentiality, Automated decision-making, International transfers, Scale. > - **Suggested safeguards** include: encryption at rest/in transit, Art. 22 human-intervention rights, IDTA or UK Addendum to EU SCCs for the US transfer, Transfer Impact Assessment, and data minimisation review. > > I've incorporated these into section 4. For the US transfer I've added section 5 with IDTA as the transfer mechanism and documented the Transfer Impact Assessment findings. > > **You:** We also need to update our breach-notification policy. Can you validate the current version? > > **Agent:** Running `breach_notification_logic` on `docs/breach-notification-policy.md`: > > - **Elements present:** 6/7 — 72-hour window, ICO as authority, risk assessment, notification content, breach register, roles and responsibilities. > - **Missing:** Communication to data subjects for high-risk breaches (Art. 34). > - **Warning:** No processor-to-controller notification clause found (Art. 33(2)). > > I'll add the missing Art. 34 section and the processor obligation clause now. --- ## Excerpt from dpia_risk_mitigator output Example output when the DPIA is complete and covers international transfers. ``` ================================================================ DPIA Risk Mitigator — UK GDPR / ICO Guidance File: docs/dpia-analytics-platform.md ================================================================ --- Required DPIA sections --- [OK] Processing description [OK] Necessity and proportionality [OK] Risk assessment [OK] Mitigation measures Result: 4/4 sections present --- Risk categories detected --- • Confidentiality • Automated decision-making • International transfers • Scale --- Suggested safeguards (UK GDPR / ICO / UK Adequacy) --- [Confidentiality] → Encryption at rest and in transit (AES-256 / TLS 1.2+) → Role-based access control (RBAC) with least-privilege principle → Multi-factor authentication for access to personal data stores → Data Loss Prevention (DLP) tooling on egress channels [Automated decision-making] → Art. 22 safeguards: right to human intervention, right to contest, right to an explanation → Regular review and audit of automated decision-making models → Document logic, significance, and envisaged consequences for data subjects [International transfers] → UK Adequacy Regulations: verify recipient country has adequacy decision, or use appropriate safeguards → International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs → Transfer Impact Assessment (TIA) documenting risks in recipient country → Supplementary measures where TIA identifies residual risks [Scale] → Data minimisation review — collect only what is strictly necessary → Automated retention and deletion policies enforced at infrastructure level → Privacy-enhancing technologies (PETs): pseudonymisation, aggregation, k-anonymity ================================================================ RESULT: OK — all required DPIA sections are present. ================================================================ ``` --- ## Excerpt from a generated DPIA Example of the international-transfers section produced with the skill. ```markdown ## 5. UK Adequacy — international transfers - **Recipient country:** United States - **Adequacy decision:** No (as of assessment date) - **Transfer mechanism:** International Data Transfer Agreement (IDTA) - **Transfer Impact Assessment:** US surveillance laws (FISA 702, EO 12333) assessed. Risk mitigated by: (1) encryption in transit and at rest with keys held in the UK, (2) contractual prohibition on disclosing data to government authorities without notifying the controller, (3) pseudonymisation of direct identifiers before transfer. - **Supplementary measures:** AES-256 encryption, pseudonymisation of user identifiers, contractual audit rights, annual review of US legal landscape. ``` --- Back to [Skill Library](https://rakenne.app/skills/index.md)