Search icon

Data Protection Impact Assessment (DPIAs)

Data Protection Impact Assessments (DPIAs)


A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a system/process/project within a University Faculty / Dept / Division / Office / Unit / Centre etc (“functional area”).

A DPIA is a way for a functional area to systematically and comprehensively analyse the processing of personal data and help identify and minimise data protection risks. It is an important tool for building and demonstrating compliance with the GDPR (i.e. accountability).

Completed Data Protection Checklists and DPIAs should be forwarded to the UL Data Protection Unit for consideration, advice and feedback.

When is a DPIA required?

Under the General Data Protection Regulation (GDPR) a DPIA must be carried out where a planned or existing processing operation is “likely to result in a high risk” to individuals.  Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

All new projects and significant changes to existing systems/processes which require the processing of personal data must undertake the completion of the Data Protection CHECKLIST to determine if a full DPIA is required.

The GDPR provides examples of data processing that would fall into this category, but it is a non- exhaustive list.  Examples of ‘high risk’ processing of personal data include:

  • Evaluation / profiling;
  • Automated-decision making;
  • Systematic monitoring;
  • Special categories of personal data (eg sensitive personal data or criminal investigation data etc;
  • Data processed on a large-scale;
  • Matching/combining datasets;
  • Data concerning vulnerable data subjects;
  • Innovative use/applying new technological/organisational solutions;
  • When the processing prevents data subjects from exercising a right or using a service/contract;
  • Processing under definition of “Health Research” in Health Regulations.

What DPIAs involve:

A DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of data subjects, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.


President's Report to Governing Authorit...

Reports available*

Governing Authority Reports

Reports available*