When to Carry Out DPIAs - Glasgow City Law

Technology and Data Scotland 4 Minutes Read · published February 11, 2026 Flag of Scotland

Introduction

Glasgow, Scotland public bodies and contractors must assess high-risk processing under the UK data protection regime. A Data Protection Impact Assessment (DPIA) helps record lawful decision-making, reduce privacy risk and show compliance when processing is likely to result in high risk to individuals. This guide explains when to carry out DPIAs in a city context, who enforces the rules in Glasgow, how to document decisions and practical next steps for council teams and partners.

When to carry out a DPIA

Carry out a DPIA at the planning stage for any new project or system that involves personal data and is likely to produce high risk to individuals' rights and freedoms. Typical triggers include large-scale profiling, systematic monitoring of public spaces, use of new technologies (AI, facial recognition), or combining multiple databases.

  • When introducing new data-driven systems or major changes to existing systems.
  • When processing is likely to result in high risk, such as large-scale special category data or systematic public monitoring.
  • When a legal or policy change requires new categories of data to be collected or shared.
  • When deploying new technologies (AI, biometric systems) that make automated decisions affecting individuals.
Start DPIA screening as soon as the project is scoped, not after procurement.

How to decide risk and scope

Use a two-stage approach: screening to identify likely high-risk processing and a full DPIA if screening flags risk. The DPIA should document purpose, lawful basis, data flows, risk assessment, mitigation measures and decision logs.

  • Screen early in project planning and repeat if the project changes.
  • Consult the Data Protection Officer and legal services for borderline cases.
  • Document mitigation measures and monitoring arrangements in the DPIA.

Penalties & Enforcement

Enforcement for failures to carry out or properly act on DPIAs is led by the Information Commissioner for the UK; local council governance and employment rules apply for internal non-compliance. Specifics differ by instrument and are set out on official regulator and council pages below.[1][2]

  • Monetary fines by the regulator: up to £17.5 million or 4% of annual global turnover for the most serious data protection breaches, as set out by the regulator on its guidance page.[1]
  • Escalation: details of first, repeat or continuing offence ranges are not specified on the cited council page; regulator guidance sets tiers for breaches but does not list separate daily continuing fines for DPIA failures on that page.[1]
  • Non-monetary sanctions include enforcement notices, orders to stop processing, rectification requirements and formal reprimands by the regulator; internal disciplinary measures may apply under council employment policies (not specified on the cited council page).[1][2]
  • Enforcer and contacts: the Information Commissioner is the statutory regulator; Glasgow City Council’s Data Protection Officer handles internal policy, records and complaints for council services.[1][2]
  • Appeals and review: regulatory decisions can be challenged to the First-tier Tribunal (Information Rights); specific time limits and procedural detail are not specified on the cited pages and should be checked on the regulator or tribunal guidance pages.[1]
  • Defences and discretion: reasonable excuses or proportional mitigation may be considered by the regulator; internal permits or variances are governed by council policy and are not published in detail on the cited council page.[1][2]

Common violations and typical consequences

  • Failing to screen a high-risk project for a DPIA — regulator enforcement action possible; monetary penalties may apply per regulator guidance.[1]
  • Incomplete DPIA that does not document mitigation — likely enforcement notice and requirement to remedy, with fines for breaches if data rights are infringed.[1]
  • Unauthorised deployment of intrusive technology (e.g., facial recognition) without DPIA or legal basis — enforcement notices and other sanctions; council procurement and employment consequences may follow (not specified on the cited council page).[1][2]

Applications & Forms

The Information Commissioner provides DPIA templates and guidance for screening and full assessments; these are available for download from the regulator’s site. Glasgow City Council publishes its data protection contact and internal procedures, but a council-specific DPIA submission form is not specified on the cited council page.[1][2]

Practical action steps for Glasgow projects

  • Screen every project at planning stage using the ICO screening checklist or the council’s internal guidance.
  • If screening flags high risk, complete a full DPIA documenting purpose, lawful basis, data flows, risk mitigation and monitoring.
  • Consult the Glasgow City Council Data Protection Officer and legal team early; record advice and decisions in the project file.
  • Implement mitigation measures before processing and monitor effectiveness; update the DPIA if processing changes.
Keep DPIA records for the life of the project and longer if required by retention policies.

FAQ

When exactly is a DPIA required?
A DPIA is required when processing is likely to result in high risk to individuals, for example large-scale profiling, special category processing, or systematic monitoring; follow the regulator screening questions to decide.[1]
Who enforces DPIA requirements in Glasgow?
The Information Commissioner enforces data protection law nationally; Glasgow City Council’s Data Protection Officer manages council compliance and internal action on DPIAs.[1][2]
Is there a council DPIA form to submit?
The ICO provides template DPIA documents for screening and full assessments; a specific Glasgow City Council submission form is not specified on the council page and teams should contact the council DPO for local process details.[1][2]

How-To

  1. Screen the project using the regulator checklist to decide if a full DPIA is needed.
  2. If needed, prepare a full DPIA documenting purpose, lawful basis, data flows and risks.
  3. Identify and record mitigation measures and appoint responsible officers to implement them.
  4. Consult the council Data Protection Officer and legal advisers; adjust the DPIA based on feedback.
  5. Implement measures before processing, monitor effectiveness and update the DPIA if circumstances change.
  6. Retain the DPIA and decision logs in project records and be prepared to share with the regulator if requested.

Key Takeaways

  • DPIA screening at project start prevents later enforcement and supports lawful procurement.
  • Use ICO templates and consult the Glasgow DPO for local policy and records.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data