What is a DPIA?
An introduction to the concept of the data protection impact assessment
A DPIA is a flexible tool designed to help you effectively identify and minimise the data protection risks of a new project. It is a key part of your accountability obligations under the GDPR.
Conducting a DPIA will not eliminate all risk but should help you minimise and determine whether the level of risk is acceptable for a given circumstance.
In some case DPIAs are a legal requirement for processing information that is likely to be high risk. However, an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
What are the benefits of a DPIA?
There are numerous benefits which can be had through completing a DPIA - here are just a few:
- Increasing the likelihood that the initiative is more successful because privacy risks are identified early, allowing controls to be designed in at less cost and with less impact on delivery.
- Accessing certain funding grants. Research funders increasingly want assurance that Principle research Investigators (PIs) are committed to keeping participants' data safe and are aware of and are doing their best to mitigate any possible data protection challenges.
- Fulfilling the University’s legislative, statutory, and contractual obligations in relation to data processing activities.
- Meeting individuals’ expectations of privacy and help avoid reputational damage which might otherwise occur.
- Identifying opportunities to incorporate 'Data Protection by Design' principles into the project.
What are the consequences of not completing a DPIA?
Failure to comply with the DPIA requirements can result in significant fines being imposed by the ICO. The following omissions can each result in fines of up to €10 million:
- Failure to carry out a DPIA when the processing is subject to a DPIA
- Carrying out a DPIA in an incorrect manner
- Failure to consult the ICO where required.
When should I Complete a DPIA?
If the project presents a high risk to personal data protection and privacy, then a DPIA will be necessary. See the DPIA Initial Screening template to decide if you need to do a DPIA.
Who should conduct a DPIA?
Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:
- Project sponsor
- Information asset owner
- Research project lead
Who should keep hold of a DPIA?
The individual responsible for the initiative should retain the master copy of the completed DPIA for audit purpose and to be able to demonstrate compliance with legislative requirements. The University’s Information Governance Manager may request a copy of DPIA for monitoring and reporting purposes.