Data Protection Impact Assessments 

The General Data Protection Regulation (GDPR) introduces a new legislative requirement to undertake a Data Protection Impact Assessment (DPIA) before carrying out ‘processing likely to result in a high risk to individuals’ interests’.

The questions and answers below provide University staff with the information needed to decide when to conduct a DPIA and the process to be followed. 

If you have any further questions, please email  



1. What is a DPIA?

A DPIA is a process to systematically analyse proposed data processing activities and help identify and minimise data protection risks arising. As a minimum, it must: 

  • describe the proposed processing and its purpose; 
  • evidence the necessity of the proposed processing and its proportionality; 
  • identify and assess risks to individuals arising from the proposed processing; 
  • identify any measures that could be put in place to mitigate those risks and protect personal data. 

The DPIA does not have to eradicate risk but should minimise it and bring it within acceptable levels. 

2. When should a DPIA be conducted?

DPIAs should be undertaken for processing likely to be high risk. The Regulation does not define ‘high risk’ but the Information Commissioner’s Office has produced the checklist below for determining when assessments should be undertaken.

We will conduct a DPIA if we plan to do any of the following:

  • Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
  • Process special category data or criminal offence data on a large scale.
  • Systematically monitor a publicly accessible place on a large scale.
  • Use new technologies.
  • Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
  • Carry out profiling on a large scale.
  • Process biometric or genetic data.
  • Combine, compare or match data from multiple sources.
  • Process personal data without providing a privacy notice directly to the individual.
  • Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
  • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
  • Process personal data which could result in a risk of physical harm in the event of a security breach.

We will consider carrying out a DPIA if we plan to do any of the following:

  • Evaluation or scoring.
  • Automated decision-making with significant effects.
  • Systematic
  • Processing of sensitive data or data of a highly personal nature.
  • Processing on a large scale.
  • Processing of data concerning vulnerable data subjects.
  • Innovative technological or organisational solutions.
  • Processing involving preventing data subjects from exercising a right or using a service or contract.

It should be noted that there are broader reputational, financial and ethical benefits to be had from undertaking DPIAs. They can help demonstrate University commitment to privacy by default and design, accountability and transparency. They can also help build trust and engagement with our stakeholders. To that end, the list above should not be considered exhaustive and a DPIA should be undertaken whenever it would be useful. 

3. Does the University have a template DPIA available?

The University has adopted the template DPIA produced by the ICO. It can be accessed here: 

University of York DPIA Template (MS Word , 147kb).  

4. Who is responsible for completing the DPIA?

For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor. For all other projects, the DPIA should be undertaken by the project owner/lead. 

5. Who is responsible DPIA sign-off?

The DPIA will need to be forwarded to the Data Protection Officer (DPO) ( for approval. The DPO may require further information from you as part of that review. The DPO may also advise on additional steps to be taken to bring identified risk within acceptable levels. 

Where the DPO feels risk is high and no remedial action can be taken to mitigate it, the proposed processing activity will need to be referred to the Information Commissioner's Office for review. The DPO will complete the Regulator's online form and submit a copy of the DPIA for consideration. Once received, the ICO will aim to respond within eight weeks but may extend the timeframe by a further six weeks where cases are complex. 

6. How do we carry out a DPIA?

1. Identify whether a DPIA is needed using the checklist available here - UoY DPIA Screening Questions (MS Word , 106kb)

2. Describe the proposed processing (e.g. explain the nature, scope, context and purpose of the proposed project) 

3. Consult widely - talk to data subjects, 3rd party data processors, the University's Data Protection Officer and other relevant contacts e.g. the University's Records Manager, IT Security team etc.)

4. Assess the necessity and proportionality of the proposed activity 

5. Identify and assess the severity of data protection risks arising from the proposed activity (e.g. possible data loss, risk of inadvertent disclosure, fairness of activity etc.)

6. Identify measures to eliminate or mitigate risk (e.g. documented security arrangements, handling procedures, use of robust contractual clauses etc.)

7. Submit completed DPIA to the University's Data Protection Officer ( for sign-off 

8. Record the outcome of the DPIA, including differences of opinion with the Data Protection Officer or consulted individuals. 

8. Integrate agreed mitigations into project plan

9. Keep DPIA under review and revisit as necessary

7. What should we do if we decide not to undertake a DPIA?

Where you decide not to undertake a DPIA, you will need to record your decision.