Sytorus Data Protection Impact Assessment

Ensuring all new projects are compliant with ​​​​​​​the General Data Protection Regulation (GDPR)

What is the Data Protection Impact Assessment (DPIA)?

What is the Data Protection Impact Assessment (DPIA)?

The DPIA supports the identification of and mitigation against data protection related risks arising from a new project or process, which may affect your organisation or individuals it engages with. The DPIA helps organisations make informed decisions about the acceptability of data protection risks, a mandatory requirement under Article 35 of the GDPR, for any high-risk data processing project.

Following a facilitated interactive workshop Sytorus will offer practical, commercially appropriate recommendations as to how identified possible risks and gaps can be addressed and resolved in a timely manner, and with minimal disruption to the organisation’s day-to-day business operations.

Why you need it and why it’s important

Why you need it and why it’s important

Do you know how compliant your organisation is with your DPIA requirements?

Do you know which new projects and key processes in your organisation require a DPIA to be completed?

Do you know the risks associated with the introduction of new IT systems and applications where large scale personal data processing is occurring?

Are you still struggling with where to start on your UK Data Protection Act 2018 (GDPR) compliance activities?

Major Benefits

Major Benefits

A DPIA will deliver real benefits and a real return on your investment (ROI). The ROI can be realised through:

  • Demonstrate compliance internally & externally
  • Brand protection
  • Remove possible reputational damage
  • Enhanced customer satisfaction & engagement
  • Higher customer retention levels

The 6-Step Process

The Sytorus DPIA is a 6-step process specifically designed to identify and address all Data Protection risks within a new or existing project.

Step 1: Stakeholders, Systems and Entities
A complete list of stakeholders, entities and systems. Anyone or anything that processes personal data should be considered in this category. This could be a job role, a person, a third party or a computer system.

Step 2: Identify Processes
A complete list of data management processes. A process is any event that is required to complete a business function. The focus is on processes that involve personal and special categories of data.

Step 3: Workflow Analysis
For processes identified in Step 2, we assess via our collaborative workshops what data is processed, what systems have visibility of this data, where the data is processed and who has access to it.

Step 4: Data Protection Assessment
For each process identified in Step 3, we categorise the processing according to UK Data Protection Act 2018 (GDPR) compliance requirements, areas of consideration and evaluation of potential risk.

Step 5: Risk Analysis
A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity. A point in time heat map is generated for executive attention as to the current risk status.

Step 6: Implementation
An agreed implementation plan is formalised into actionable items and after implementation a new point in time heat map is generated to reflect progress and identify next steps.



The DPIA workshop typically involves several key stakeholders within an organisation and is overseen by an internal sponsor who is either the current Data Protection Officer/Lead or is intended to take up this role in the medium term.

A DPIA engagement can vary depending on the customer and the complexity of the proposed processing change. The Sytorus team will work with you to identify the most suitable candidates for the assessment workshop.