Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a system/process/project within a University Faculty / Dept / Division / Office / Unit / Centre etc (“functional area”).
A DPIA is a way for a functional area to systematically and comprehensively analyse the processing of personal data and help identify and minimise data protection risks. It is an important tool for building and demonstrating compliance with the GDPR (i.e. accountability).
Completed Data Protection Checklists and DPIAs should be forwarded to the UL Data Protection Unit email@example.com for consideration, advice and feedback.
When is a DPIA required?
Under the General Data Protection Regulation (GDPR) a DPIA must be carried out where a planned or existing processing operation is “likely to result in a high risk” to individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
All new projects and significant changes to existing systems/processes which require the processing of personal data must undertake the completion of the Data Protection CHECKLIST to determine if a full DPIA is required.
The GDPR provides examples of data processing that would fall into this category, but it is a non- exhaustive list. Examples of ‘high risk’ processing of personal data include:
What DPIAs involve:
A DPIA must:
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of data subjects, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.