Data protection impact assessments (DPIAs)
Guidance for staff on carrying out a data protection impact assessment (DPIA)
A DPIA s:
- A tool/process to assist organisations in identifying and minimising the privacy risks of new projects, systems or policies
- A type of impact assessment conducted by an organisation, auditing its own processes to see how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes
- A tool/process to assist organisations in ensuring that all activities involving personal data are proportionate and necessary
A DPIA is designed to accomplish three goals:
- Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;
- Determine the risks and effects; and
- Evaluate protections and alternative processes to mitigate potential privacy risks.
When do I need to carry out a DPIA?
When you plan to:
- Embark on a new project involving the collection of personal data;
- Introduce new IT systems for storing and accessing personal information;
- Participate in a new data-sharing initiative with other organisations;
- Initiate actions based on a policy of identifying particular demographics;
- Use existing data for a “new and unexpected or more intrusive purpose”;
- Review or audit an existing system or activity.
Has a DPIA already been done for what I want to do?
You can check if a DPIA has been done for your project/system/policy on the Data Protection SharePoint Intranet.
If a DPIA has already been completed for the specific processing or system you wish to use, you may be able to use that assessment as a basis rather than completing a new one. Please get in touch with the Data Protection Officer at email@example.com to confirm.
If your legal basis is 'legitimate interest', you can find out here if a Legitimate Interest Assessment has already been done:
Requesting a DPIA
When you need to conduct a DPIA, email the Data Protection Officer at firstname.lastname@example.org and you will be assigned an assessment through our online tool. The assessment tool is a platform hosted by a third party but it will be accessed through Single Sign-On. When you request a DPIA from the Data Protection Officer, you need to provide your name and UUN as well as the names and UUNs of all those needing access to the DPIA. If external people require access, their name and email address are required.
If you are a student and need to do a DPIA, then please download the template below together with the guidance. Upon completion, your academic supervisor will approve the DPIA. If you have already completed an ethics approval form which includes a DPIA, you do not need to complete this form.
Watch a video of how to conduct a DPIA:
Here is a link to a workshop that was held with a number of Data Protection Champions, filling in a spoof DPIA to demonstrate and explain what each section requires and entails. The video is housed on Sharepoint and can be accessed here:
- Video: DPIA Workshop Recording
- This recording takes you step-by-step through completing a DPIA.
If you require these documents in an alternative format, such as large print or a coloured background, please contact the Data Protection Officer on 0131 651 4114 or email email@example.com