The General Data Protection Regulation alongside the Data Protection Act 2018 require organisations to store and process data in accordance with the rights, obligations and principles of autonomy, transparency and confidentiality. Scheduled data protection impact assessments (DPIAs) identify risks, mitigations and responsibilities to ensure that the minimum amount of data is held for clearly defined purposes.