Data Protection Impact Assessment
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a process used to identify and mitigate the privacy risks associated with a project involving personal data processing.
A DPIA is required for all projects at the University involving personal data processing and is a legal requirement when the processing is likely to result in a high risk to individuals. It is also an essential part of data protection by design and default.
The DPIA process is therefore key to helping the University demonstrate compliance with its obligations under Data Protection law and builds trust with stakeholders by showing that the University takes its Data Protection responsibilities seriously.
Carrying out a DPIA
The DPIA Decision Tool will help you determine whether a DPIA is required for your project, and if so, whether the DPIA also requires review.
DPIA Decision Tool (UofG login required)
A DPIA will be required when:
- undertaking research involving human subjects (where the data processing is fully identifiable or pseudonymous). All research involving human subjects requires ethical review and approval. Consult with the relevant University Ethics Committee for further advice.
- building or migrating to new IT systems for storing or accessing personal data
- developing or amending a policy or strategy that has privacy implications
- embarking on new data sharing initiatives with other organisations
- using personal data for new purposes
Use the University's DPIA Template (Word, 106KB)
Begin the DPIA process at the start of a project, before any data processing takes place. This should run alongside any project planning and development workflows.
Responsibilities
- For research projects, the Principal Investigator is responsible for the DPIA.
- For non-research projects the project lead is responsible for the DPIA.
- The DP&FOI Office are responsible for providing advice and guidance on the DPIA process, and for reviewing DPIAs where the processing is considered high risk. The DP&FOI Office do not sign-off or approve DPIAs; their role is in an advisory capacity only.
- Ultimate responsibility for information risk at the University lies with Senior Information Risk Owners (SIROs), although they are unlikely to have any day-to-day involvement with the DPIA process.
DPIAs must be updated during the life of a project and retained alongside all other project documentation.
Upon completion, DPIAs must also be submitted to the University’s Information Asset Register for ongoing review and consultation for compliance purposes.
Support and guidance
Where guidance or further information is necessary, consult the DP&FOI Office and, where relevant, other internal and external stakeholders and experts. For example, projects involving the development or use of new technology should consult with the University’s IT Services and Information Security teams.
Consult with the University's Research Regulation and Compliance (RRC) Office for research projects concerning human subjects in an NHS health and social care setting (staff, patients, their families and carers, data, or tissue). DPIAs for research in this setting should be sent directly to the RRC Office for review.
The DP&FOI Office will only review DPIAs involving data subjects (outwith NHS health and social care settings) that are classified as high risk. Review the Information Risk Classifications to determine if you are working with high risk data.
Review timescales
DPIA review timescales will vary depending on demand and the DP&FOI Office’s capacity.
Currently, it may take the DP&FOI Office more than 8 weeks to provide an initial review. Depending upon the complexity of the project, there may also be extensive follow-up discussion before a DPIA review can be finalised.
Please factor in DPIA review timescales when planning a project to ensure any recommendations made can be incorporated prior to project initiation.