Data Protection Impact Assessment

Please note, the Data Protection & Freedom of Information Office (DP&FOI Office) provide advice and recommendations in relation to Data Protection Impact Assessments that are shared with them for review and comment. The DP&FOI Office do not “approve” or “sign off” on DPIAs. It is the responsibility of the PI/ Project Leader to either accept or overrule the recommendations issued by the DP&FOI Office. If the latter, this should be justified and recorded on the DPIA form.

  • What is a DPIA: A tool for building and demonstrating compliance and trust and for protecting the rights and interests of data subjects. A DPIA is a legal requirement when processing high risk personal data, or when the processing is likely to result in a high risk to data subjects. Review the Information Risk Classifications to determine if you are working with high risk data. Review, and complete all relevant sections in DPIA requirements
  • When is a DPIA carried out: At the start of any major project/service that will process personal data, or when making a significant change that affects the risk level to personal data.  Assess and integrate DPIA actions into your project plan, and deliver on them. Examples of when a DPIA may be required include:
    • undertaking research involving human data subjects
    • building or migrating to new IT systems for storing or accessing personal data
    • developing or amending a policy or strategy that has privacy implications
    • embarking on new data sharing initiatives with other organisations
    • using data for new purposes  
  • Why carry out a DPIA: As stated above a DPIA is a legal requirement in certain circumstances. A DPIA allows you to assess and integrate DPIA actions into your project plan, and deliver on them so that appropriate technical and organisational measures are put in place to mitigate risks to personal data.

  • Who carries out the DPIA: For research projects, the Principal Investigator is responsible for the DPIA. For non-research projects/initiatives the project lead is responsible for the DPIA. The DPIA should be retained with all other project documentation for the duration of the project.

Where guidance or further information is necessary, consult the University DP Office at dp@glasgow.ac.uk and where relevant external stakeholders and experts. Please be advised that the DP Office will only review DPIAs that are classified as high risk. 

Later when your new process is in place, your DPIA will provide valuable evidence to the University’s Information Asset Register for on-going review and evidence to the ICO.  Find out more: gla.ac.uk/gdpr.

Due to high demand, if you submit your DPIA to the Data Protection & FOI Office, it may take 2-3 weeks for us to provide an initial review. Depending upon the complexity of your project, there may also be extensive follow-up discussion before your DPIA is finalised. Please ensure that you leave enough time ahead of project initiation to accommodate this.

Data Protection Impact Assessment Template 

To evidence compliance with best practice, UofG has adopted the ICO Data Protection Impact Assessment (available to UofG staff by GUID login.)