Data Protection Impact Assessments (DPIA)

Under data protection legislation the University has an obligation to consider the impact on an individual’s privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk to personal data.

It is particularly important to consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data.  The GDPR imposes a specific ‘privacy by design’ requirement, emphasising the need to implement appropriate technical and organisational measures during the design stages of a process  and throughout the life cycle of the relevant data processing to ensure that privacy and protection of data is not an afterthought. 

For some projects the UK GDPR requires that a Data Protection Impact Assessment (DPIA) is  carried out.  The types of circumstances when this is required include

• those involving processing of large amounts of personal data
• where there is automatic processing/profiling;
• processing of special categories of personal data
• or monitoring of publicly accessible areas (i.e. CCTV). 

      The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks. 

  You can access a template DPIA form here – completed DPIAs should be submitted to the Information Governance Officer for review and approval.

     The steps in undertaking a DPIA are as follows: