DPIA Requirements for Projects - Leeds

Technology and Data England 3 Minutes Read · published February 12, 2026 Flag of England

Local project leads in Leeds, England must understand when a Data Protection Impact Assessment (DPIA) is required, who enforces the rules and how to comply with both council practice and UK data-protection law; see Leeds City Council guidance for local procedures[1].

A DPIA is an early-stage privacy risk check that can prevent costly enforcement later.

When a DPIA is required

A DPIA is required where a project is likely to result in a high risk to individuals’ rights and freedoms, for example new systems for large-scale processing, systematic monitoring, or processing of special category data; follow ICO screening guidance to assess risk and thresholds for Leeds projects[2].

  • Large-scale collection or storage of personal data, including databases holding contact lists or residents’ records.
  • Major IT system changes, cloud migrations or new third-party processors used by council services.
  • Systematic monitoring or profiling of individuals, CCTV projects with advanced analytics, or automated decision-making.
  • Processing special category data at scale, such as health, racial or biometric information in a project context.

Penalties & Enforcement

Enforcement for failures to carry out required DPIAs or to mitigate identified risks is led by the Information Commissioner’s Office nationally; Leeds City Council must also follow ICO guidance in its role as a data controller and has internal procedures for reporting and remedial action[2].

  • Monetary penalties: ICO may impose fines up to A317.5 million or 4% of global annual turnover for GDPR breaches, as described by the ICO guidance cited below.
  • Escalation: details of first, repeat or continuing offence ranges are not specified on the cited page.
  • Non-monetary sanctions: enforcement notices, orders to stop processing, corrective measures and audits may be issued by the ICO; the council can also order project suspension or remediation internally.
  • Enforcer and complaints: ICO is the statutory regulator; local reporting and internal escalation are handled by Leeds City Council Information Management/Data Protection Officers as set out on the council site[1].
  • Appeals and review: routes for appeal against ICO enforcement are referenced by the ICO but specific time limits for appeals are not specified on the cited page.
If you suspect a DPIA was required but not completed, report the issue to your data protection lead immediately.

Applications & Forms

Leeds City Council does not publish a mandatory citywide DPIA form on the cited page; project teams should use the ICO DPIA template and the council's internal guidance or contact the council data protection team for local templates[2] [1].

How to prepare a DPIA for a Leeds project

Follow a structured approach that maps data flows, assesses risks, documents mitigations and obtains sign-off from your council data-protection lead before procurement or launch.

  • Start DPIA screening at project conception and update at major project milestones.
  • Document lawful bases, data minimisation, retention and security measures.
  • Record outcomes and keep the DPIA on file for audits and future reviews.
Keeping DPIAs updated reduces risk of enforcement and improves public trust.

Action steps

  • Screen the project against ICO DPIA criteria and complete a full DPIA if screening indicates high risk.
  • Contact the Leeds City Council data-protection lead early for local requirements and sign-off steps.
  • If non-compliance is found, follow council incident reporting, implement remediation and notify the ICO if required.

FAQ

When must a DPIA be done for a council project?
A DPIA is required where processing is likely to result in high risk to individuals, such as large-scale profiling, special category data processing or new surveillance technologies.
Does Leeds publish a standard DPIA form?
Leeds City Council's public page does not publish a single mandatory DPIA form; project teams should use ICO templates and seek council internal guidance.[1]
Who enforces DPIA compliance for local projects?
The Information Commissioner’s Office is the statutory regulator and may issue fines or enforcement orders; the council enforces internal compliance and reporting.

How-To

  1. Screen the project using the ICO DPIA screening checklist.
  2. If screening indicates high risk, complete a full DPIA documenting processing, risks and mitigations.
  3. Share the DPIA with your Leeds City Council data-protection lead for review and local sign-off.
  4. Implement agreed technical and organisational mitigations and record decisions.
  5. Retain the DPIA and review it at defined project milestones or after significant changes.

Key Takeaways

  • DPIAs prevent privacy harm and are required for high-risk processing in Leeds projects.
  • The ICO enforces compliance nationally; follow Leeds City Council procedures for local sign-off.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data