The difference between a privacy policy and a proper DPIA, and why it matters

Many digital health companies have a privacy policy. Far fewer have a properly conducted Data Protection Impact Assessment. The two are frequently conflated, but they serve entirely different purposes, and confusing them is one of the most common governance gaps that surfaces during NHS procurement, investor due diligence, and regulatory scrutiny.

Two documents, two purposes

A privacy policy is a public facing document. It tells users, patients, or customers what personal data is collected, why it is collected, how it is used, who it is shared with, and what rights individuals have over it. It is a transparency obligation, a requirement under UK and EU GDPR to be open about data processing practices. A well written privacy policy is necessary, but it is not evidence that anyone has systematically thought about the risks those data practices create.

A Data Protection Impact Assessment, a DPIA, is an internal analytical process. Under UK GDPR, a DPIA must be conducted before beginning any type of processing that is likely to result in a high risk to the rights and freedoms of individuals. It is not a document written for the public. It is a structured, documented analysis of a specific data processing activity, what data is involved, what the risks are, how likely and severe those risks are, and what measures are in place or planned to reduce them. Its purpose is to surface problems while they can still be fixed, not to describe practices that are already in place.

When a DPIA is required

Under UK GDPR, processing is considered likely to result in high risk where it involves, among other things, systematic and extensive profiling with significant effects on individuals, large scale processing of special category data, or systematic monitoring of publicly accessible areas. Health data falls squarely within the category of special category data under GDPR, which means that digital health products processing patient or user health information at any meaningful scale are very likely to trigger the obligation to conduct a DPIA before processing begins.

The word before carries significant weight here. A DPIA is not a retrospective exercise conducted to document what a product already does. The timing requirement under GDPR Article 35 is explicit. A DPIA must be conducted prior to the processing, meaning before a system is built, not after it is already running. This is a point that is frequently misunderstood by smaller companies that treat the DPIA as a procurement checkbox to complete at the end of the development cycle rather than as a design input at the beginning.

Why the stakes have risen

The stakes of getting this wrong are not trivial. The healthcare sector has seen particularly serious enforcement activity, with an average GDPR fine of EUR 203,423 per violation in healthcare in 2024, up from EUR 17,500 the year before. In at least one case a hospital paid EUR 200,000 after a ransomware attack where regulators found no DPIA had been carried out.

For digital health companies seeking NHS adoption, the DPIA requirement is embedded directly in the Digital Technology Assessment Criteria. As part of DTAC, there is an expectation for the manufacturer to complete a DPIA as part of their submission, and this is a mandatory requirement under data protection law for the implementation of any new digital technology within the NHS.

Practical considerations

A DPIA should be specific to the product and the processing activity in question. A generic template downloaded from the internet and populated with minimal detail is unlikely to satisfy either a regulatory audit or an NHS information governance professional. The assessment needs to reflect the actual data flows, the actual risks, and the actual mitigations in place for the product being assessed.

A DPIA is also a living document, not a one off exercise. The DPIA should be considered as a living tool, and where there are residual risks that cannot be mitigated by the measures in place, the relevant data protection authority must be consulted prior to the start of processing. If a product is updated in ways that change how data is handled, the DPIA should be reviewed and updated accordingly.

For AI enabled products, there is an additional layer of complexity. AI systems now trigger two separate assessment obligations, a GDPR DPIA and an EU AI Act Fundamental Rights Impact Assessment. These are not interchangeable and cannot be satisfied by a single document. Understanding the relationship between these two requirements, and how to address both in a coordinated and proportionate way, is becoming a practical necessity for companies operating in the digital health space in 2026.

The distinction between a privacy policy and a DPIA matters because one describes what you do with data, and the other demonstrates that you have thought carefully about whether what you do is safe, lawful, and proportionate. For NHS buyers, investors, and regulators, the second carries considerably more weight than the first.

Lemic Consulting supports digital health teams with Data Privacy and Trust Reviews, including DPIA informed assessments for products seeking NHS procurement, EU funding compliance, or investor due diligence. Get in touch to discuss your specific situation.