The DPIA Process - a step-by-step guide

How to complete a DPIA

Carrying out a DPIA is a process, not a stand-alone (or one off) document. The diagram (below) shows the different stages of carrying out a DPIA for you to follow.

University templates have been designed to help walk you through the DPIA process. The templates help you to identify the need a DPIA and then complete a DPIA:

  • DPIA Initial Screening template (.docx):  this allows you to assess whether you need to complete a DPIA and can also serve to record that you have carried out a screening test for your project.
  • DPIA Risk Assessment Template (.docx): this allows you to evaluate any possible risk and also mitigate or eliminate such risks.

 

1. Identify need for a DPIA

Carry out an initial screening to see if you need to do a full DPIA by accessing the DPIA Initial Screening Checklist document.

2. Describe the processing

Explain the nature, scope, context and purpose of the data and the processing in respect of the data are understood. Utilise flow diagrams and standard operating procedures.

3. Consider consultation

You should consult with a range interested parties, including experts relating to the activity/processing you are considering; technical data protection experts such as Information Security or Information Governance colleagues and the views of the people whose data you intend to process.

4. Assess necessity and proportionality

Ensure you have a lawful basis for processing and that you can support the rights of the people whose data you intend to process. Check that the processing will achieve your purpose and consider safeguards to ensure there is no function creep.

5. Carry out a Risk Assessment

The process includes steps to identify, assess and plan actions to mitigate risks to the privacy and data protection of individuals. You should consider risks widely, including physical, material, and non-material types of risk. Risks could include economic loss, social harm, or wider impact on society, e.g. loss of public trust. Use the University's DPIA Template to help you gather and record details of risks, as well as note relevant sign-offs and actions.

6. Integrate outcomes into plan

Ensure your considerations, conclusions and actions arising from the DPIA are incorporated into a report. This may be incorporated into a report format connected with any project methodology or governance requirements already in use.

7. Keep under review

Ensure you keep track of any actions identified and once your processing is underway, test its operation against original purpose and data protection considerations.