The General Data Protection Regulation (GDPR) introduces a new legislative requirement to undertake a Data Protection Impact Assessment (DPIA) before carrying out ‘processing likely to result in a high risk to individuals’ interests’.
The questions and answers below provide University staff with the information needed to decide when to conduct a DPIA and the process to be followed.
If you have any further questions, please email firstname.lastname@example.org.
A DPIA is a process to systematically analyse proposed data processing activities and help identify and minimise data protection risks arising. As a minimum, it must:
The DPIA does not have to eradicate risk but should minimise it and bring it within acceptable levels.
DPIAs should be undertaken for processing likely to be high risk. The Regulation does not define ‘high risk’ but the Information Commissioner’s Office has produced the checklist below for determining when assessments should be undertaken.
We will conduct a DPIA if we plan to do any of the following:
We will consider carrying out a DPIA if we plan to do any of the following:
It should be noted that there are broader reputational, financial and ethical benefits to be had from undertaking DPIAs. They can help demonstrate University commitment to privacy by default and design, accountability and transparency. They can also help build trust and engagement with our stakeholders. To that end, the list above should not be considered exhaustive and a DPIA should be undertaken whenever it would be useful.
The University has adopted the template DPIA produced by the ICO. It can be accessed here:
For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor. For all other projects, the DPIA should be undertaken by the project owner/lead.
The DPIA will need to be forwarded to the Data Protection Officer (DPO) (email@example.com) for approval. The DPO may require further information from you as part of that review. The DPO may also advise on additional steps to be taken to bring identified risk within acceptable levels.
Where the DPO feels risk is high and no remedial action can be taken to mitigate it, the proposed processing activity will need to be referred to the Information Commissioner's Office for review. The DPO will complete the Regulator's online form and submit a copy of the DPIA for consideration. Once received, the ICO will aim to respond within eight weeks but may extend the timeframe by a further six weeks where cases are complex.
1. Identify whether a DPIA is needed using the checklist available here - UoY DPIA Screening Questions (MS Word , 106kb)
2. Describe the proposed processing (e.g. explain the nature, scope, context and purpose of the proposed project)
3. Consult widely - talk to data subjects, 3rd party data processors, the University's Data Protection Officer and other relevant contacts e.g. the University's Records Manager, IT Security team etc.)
4. Assess the necessity and proportionality of the proposed activity
5. Identify and assess the severity of data protection risks arising from the proposed activity (e.g. possible data loss, risk of inadvertent disclosure, fairness of activity etc.)
6. Identify measures to eliminate or mitigate risk (e.g. documented security arrangements, handling procedures, use of robust contractual clauses etc.)
7. Submit completed DPIA to the University's Data Protection Officer (firstname.lastname@example.org) for sign-off
8. Record the outcome of the DPIA, including differences of opinion with the Data Protection Officer or consulted individuals.
8. Integrate agreed mitigations into project plan
9. Keep DPIA under review and revisit as necessary
Where you decide not to undertake a DPIA, you will need to record your decision.