A Data Protection Impact Assessment (DPIA) is a process which helps to identify and mitigate potential risks to privacy and compliance with data protection law when processing personal data.
Contents
- Purpose of a DPIA
- When should a DPIA be considered
- Check if you need to complete a DPIA
- When a DPIA is not required
- Who should complete a DPIA
- Download DPIA template
- Further Information
Whilst there was no statutory requirement to undertake DPIAs, under previous data protection legislation, they are regarded as good practice by the UK Information Commissioner’s Office (ICO) and help to demonstrate compliance with existing data protection legislation. Under the new data protection legislation, in force from 25 May 2018, DPIAs are required for high risk processing activities.
We have developed this brief note on carrying out a DPIA, as it now forms part of our research registration process. This should assist researchers with making their own judgements for each project that they undertake which has potential privacy impacts.
You should consider conducting a DPIA during the planning stage of new projects. A DPIA may also be required if changes are made to an existing project.
DPIAs must be updated as the process develops, particularly if issues are identified which may affect the risk to the data protection rights of the affected individual
Take the screener to decide whether you need to conduct a DPIA.
A DPIA would not be required where:
- The processing is not likely to result in a high risk to data subjects’ rights;
- The nature, scope, context and purposes of the processing are very similar to the processing for which a DPIA has already been carried out. Where a set of similar processing operations present similar high risks, a single DPIA may be undertaken to address all of those processing operations;
- or Personal data is not being processed.
In the context of a research project, the Chief Investigator, Principal Investigator, or Supervisor is normally responsible for ensuring the completion of a DPIA, as part of the research registration form.
Note that in all cases, input and support from relevant third party data processors should be sought where applicable.
DPIA for professional services / general use.
When completing the DPIA for professional services/ general use, please refer to the guidance document:
DPIA for research
- DPIA Research Fillable Form February 2021
If the data in scope of this DPIA will be processed within the UCL Data Safe Haven, the following will apply when completing the DPIA template below:
c) ❎ data is not encrypted at rest within the Data Safe Haven
d) ✅ data is encrypted when transferred in to and out of the Data Safe Haven
f) ✅ in addition to UCL’s mandatory training, information governance training is required for all users of the Data Safe Haven
m) ✅ data held and processed in the Data Safe Haven remains in the EEA
q) ✅ the Data Safe Haven provides restricted access controls
In all cases, you also need to take into account any other processes your data will be subject to that do not use the Data Safe Haven, such as transcription and data transfers.

Contact the Data Protection Team.