The GDPR requires a Data Protection Impact Assessment (DPIA) to be undertaken by an organisation where the processing of data is likely to result in a high risk to individuals.

A DPIA is normally required if:

• Systematic and/or extensive profiling or automated decision-making is implemented to make significant decisions about people
• A publicly accessible place on a large scale is systematically monitored
• New technologies are used
• Profiling on a large scale is carried out
• Biometric or genetic data is processed
• Multiple data points are combined or compared from multiple sources
• Personal data is processed without providing a privacy notice
• The location or behaviour of individuals is tracked
• Children's personal data is processed to directly offer online services to them
• Personal data is processed which could result in a risk of physical harm in the event of a security breach

As such, the GDPR does not mandate that ShopWired conduct an immediate DPIA on it's activities as a data processor.

When any new project or works are undertaken by ShopWired we will conduct an assessment to ascertain whether we should conduct a DPIA. In conducting this assessment we'll look at multiple factors including:

• Whether we will be carrying out any automated decision making or scoring
• Whether we'll be processing sensitive data (such as credit card numbers, social security or national insurance numbers)
• Whether we'll be processing on a larger scale than before
• Whether we'll be processing the data of vulnerable data subjects
• Whether we'll be using untested or innovative technological solutions for the processing of data

Where a DPIA is assessed as not being required, we'll document the reasons behind our decision and the processes followed in our assessment.