Data Protection Impact Assessments (DPIA)

Under data protection legislation the University has an obligation to consider the impact on an individual's privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk to personal data.

It is particularly important to consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data.  The GDPR imposes a specific 'privacy by design' requirement, emphasising the need to implement appropriate technical and organisational measures during the design stages of a process  and throughout the life cycle of the relevant data processing to ensure that privacy and protection of data is not an afterthought. 

For some projects the GDPR requires that a Data Protection Impact Assessment (DPIA) is  carried out.  The types of circumstances when this is required include

  • those involving processing of large amounts of personal data
  • where there is automatic processing/profiling;
  • processing of special categories of personal data
  • or monitoring of publicly accessible areas (i.e. CCTV). 
      The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks. 


   You can access information about completing a DPIA in the DPIA Guidance document
   and in Section 12 of the Data Protection Guidance Handbook
   A word version of the DPIA form is here 

     The steps in undertaking a DPIA are as follows: