LEGAL← BACK TO PARIAH.DEV

Data Protection Impact Assessment (Template & Guidance)

Version 1.0 · Effective date: 21 June 2026

A DPIA is legally required for facial recognition because it is large‑scale processing of special‑category biometric data using innovative technology — squarely within the ICO's "likely high risk" criteria. Complete this before going live and keep it under review.

1. Describe the processing

2. Consultation

Record who you consulted — data subjects or their representatives (where appropriate), staff, your DPO, and any processors.

3. Necessity and proportionality

4. Identify and assess risks

For each risk, record likelihood, severity, and overall risk:

Risk to individuals Likelihood Severity Overall
Misidentification (false positive) leading to wrongful treatment
Bias/discrimination across demographics
Excessive or indefinite retention
Lack of awareness (no effective notice)
Unauthorised access / data breach
Function creep beyond the security purpose
Chilling effect / disproportionate surveillance

5. Measures to reduce risk

Risk Measure Effect on risk Residual risk
Misidentification Human review before action; confidence thresholds
Bias Monitoring, testing, fair‑treatment procedures
Retention Short, enforced retention periods
Transparency Signage + privacy notice
Security Encryption, RBAC, audit logging (see DPA Annex B)
Function creep Documented purpose limitation; access controls

6. Sign‑off and review


Use this alongside the ICO's DPIA guidance (ico.org.uk). Questions: dpo@pariah.dev