Data Protection Impact Assessment

Data Protection Impact Assessment

  • What is a DPIA: A tool for building and demonstrating compliance and trust and for protecting the rights and interests of data subjects. A DPIA is a legal requirement when personal data processing is likely to result in a high risk to data subjects. Review the Information Risk Classifications to determine if your processing is high risk.
  • When is a DPIA carried out: At the start of any major project/service that will process personal data, or when making a significant change that affects the risk level to personal data.  Assess and integrate DPIA actions into your project plan, and deliver on them. Examples of when a DPIA may be required include:
    • undertaking research involving human data subjects
    • building or migrating to new IT systems for storing or accessing personal data
    • developing or amending a policy or strategy that has privacy implications
    • embarking on new data sharing initiatives with other organisations
    • using data for new purposes  
  • Why carry out a DPIA: As stated above a DPIA is a legal requirement in certain circumstances. Additionally, assessment will fully explore and address any project/system issues during planning and design stages, so that appropriate technical and organisational measures are put in place to mitigate risks to personal data.
  • Who carries out the DPIA: For research projects, the Principal Investigator is responsible for the DPIA. For non-research projects/initiatives the project lead is responsible for the DPIA. Where guidance or further information is necessary, consult the University DP Office at dp@glasgow.ac.uk and where relevant external stakeholders and experts. Please be advised that the DP Office will only review DPIAs that are classified as high risk. 

Before submitting your DPIA template to the DP Office, please ensure that you consider and, where appropriate, address the following: 

  • If you are claiming that your data is anonymous, are there any potential data linkages that would allow someone to identify your data subjects? Note that simply removing a name does not consititute anonymisation. Consider the impact of other potential identifiers e.g. you are studying individuals with an uncommon medical condition and also working with gender, age, and location data or other factors that narrow your population and potentially lead to identification
  • Is your data truly anonymous or is it pseudonymous? If you hold an identifier key(s) that would allow you or another party to identify your masked data then it is pseudonymous and therefore must be treated as personal data.  
  • Be as specific as possible regarding your data flow -- where is the data coming from, who are you sharing access with, where is it going upon project completion?
  • How will you gather, store and access the data? Will you require third parties to assist you?
  • If you are sharing your personal datat outwith the University, is a data sharing agreement in place or do you need one?
  • Have you completed a privacy notice to inform data subjects on the intended use of their personal data? 
  • Have you completed the University's online Data Protection and or Information Security trainings? (This training is mandatory for staff.) 
  • Have you completed a research data management plan?
  • Consider ways to reduce potential risk and demonstrate practical compliance, including: 
    • pseudonymisation
    • data minimisation
    • storage limitation 
    • access restrictions 
    • technical solutions (e.g. encryption)
    • organisational measures (e.g. policies, procedures and workflows to comply with GDPR requirements)

Data Protection Impact Assessment Template 

To evidence compliance with best practice, UofG has adopted the ICO Data Protection Impact Assessment (available to UofG staff by GUID login.)