DUAA Compliance Deadline: 19 June 2026
0days
:
00hrs
:
00min
:
00sec
Credit Boost Pro
MAXIMUM FINE: £8.7 MILLION

Data Protection
Impact Assessment

Every care agency processing health data is legally required to have a DPIA under Article 35 UK GDPR. We produce yours — bespoke to your service.

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a mandatory legal document under Article 35 of UK GDPR. It is a systematic process for identifying and minimising the data protection risks of a project or system.

A DPIA is not optional. Under Article 35, you must carry out a DPIA before any processing that is "likely to result in a high risk to the rights and freedoms of natural persons."

Processing special category data (including health data) automatically triggers this requirement. Every care agency processes health data — diagnoses, medications, mental capacity assessments, care plans. You need a DPIA.

Why every care agency needs a DPIA

Care agencies face unique data protection risks that other sectors do not:

Home Access Codes

Key safe codes that could let anyone into a vulnerable person's home. This is the highest-risk data category in domiciliary care.

GPS Tracking

Real-time location monitoring of carers — often via personal mobile phones. This is systematic monitoring requiring a DPIA.

MAR Sheets

Medication Administration Records containing detailed health information. Often stored on tablets, phones, or shared drives.

Care Management Systems

Log my Care, Nourish, PCS, Birdie — cloud-based systems holding vast amounts of special category data with third-party processors.

The 7 steps of a compliant DPIA

The ICO specifies 7 mandatory steps that every DPIA must complete. We follow all of them:

1

Identify the need for a DPIA

Establish whether a DPIA is required and document the decision.

2

Describe the processing

Document what data is processed, how, why, and by whom.

3

Consider consultation

Identify who should be consulted (data subjects, DPO, experts).

4

Assess necessity and proportionality

Is the processing necessary? Is it proportionate to the purpose?

5

Identify and assess risks

What are the risks to individuals' rights and freedoms?

6

Identify measures to mitigate risks

What safeguards will you put in place?

7

Sign off and record outcomes

Document decisions and get approval from senior management.

What we deliver

Domiciliary Care Agency

£1,500

  • Full DPIA for client care records
  • Covers your care management system
  • GPS monitoring assessment
  • Home access code policy review
  • Risk register with RAG scoring
Care Home

£1,800

  • Full DPIA for resident records
  • CCTV and monitoring systems
  • Medication management systems
  • Family communication systems
  • Risk register with RAG scoring

Delivered within 10 working days

From receipt of your completed intake questionnaire.

£8.7m

Maximum fine for failing to have a mandatory DPIA

Under Article 83(4) UK GDPR, failure to carry out a mandatory DPIA carries a maximum fine of £8.7m or 2% of global annual turnover. The Advanced Computer Software Group was fined £3.07m in 2022 after a ransomware attack exposed home care clients' personal data.