Data Protection Impact Assessment

Data Protection Impact Assessment

  • What is a DPIA: A tool for building and demonstrating compliance and trust and for protecting the rights and interests of data subjects. A DPIA is a legal requirement when personal data processing is likely to result in a high risk to data subjects. Review the Information Risk Classifications to determine if your processing is high risk. Review, and if necessary address, the DPIA List of Requirements.
  • When is a DPIA carried out: At the start of any major project/service that will process personal data, or when making a significant change that affects the risk level to personal data.  Assess and integrate DPIA actions into your project plan, and deliver on them. Examples of when a DPIA may be required include:
    • undertaking research involving human data subjects
    • building or migrating to new IT systems for storing or accessing personal data
    • developing or amending a policy or strategy that has privacy implications
    • embarking on new data sharing initiatives with other organisations
    • using data for new purposes  
  • Why carry out a DPIA: As stated above a DPIA is a legal requirement in certain circumstances. Additionally, assessment will fully explore and address any project/system issues during planning and design stages, so that appropriate technical and organisational measures are put in place to mitigate risks to personal data.
  • Who carries out the DPIA: For research projects, the Principal Investigator is responsible for the DPIA. For non-research projects/initiatives the project lead is responsible for the DPIA. Where guidance or further information is necessary, consult the University DP Office at dp@glasgow.ac.uk and where relevant external stakeholders and experts. Please be advised that the DP Office will only review DPIAs that are classified as high risk. 

Due to high demand, if you submit your DPIA to the Data Protection & FOI Office, it may take 2-3 weeks for us to provide an initial review. Depending upon the complexity of your project, there may also be extensive follow-up discussion before your DPIA is finalised. Please ensure that you leave enough time ahead of project initiation to accommodate this.

Data Protection Impact Assessment Template 

To evidence compliance with best practice, UofG has adopted the ICO Data Protection Impact Assessment (available to UofG staff by GUID login.)