Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process which helps to identify and mitigate potential risks to privacy and compliance with data protection law when processing personal data.

Contents

Purpose of a DPIA
When should a DPIA be considered
Check if you need to complete a DPIA
When a DPIA is not required
Who should complete a DPIA
Download DPIA template
Further Information

Purpose of a DPIA

A DPIA enables organisations to identify and reduce the privacy risks of a project by analysing how the proposed uses of personal information and technology will work in practice

Under the UK GDPR, a DPIA is required for any processing activity likely to result in a high risk to individuals’ rights and freedoms. A DPIA helps identify risks, assess their impact, and ensure appropriate safeguards are in place.

We have developed this brief note on carrying out a DPIA, as it now forms part of our research registration process. This should assist researchers with making their own judgements for each project that they undertake which has potential privacy impacts.

When should a DPIA be considered

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

You should consider conducting a DPIA during the planning stage of new projects. This will help to ensure that any potential problems are identifed at an early stage, when addressing them will often be both simpler and less costly to rectify. A DPIA may also be required if changes are made to an existing project eg when using personal data already collected for a new purpose incompatible with the purpose for which they were originally collected.

DPIAs must be updated as the process develops, (and should not be considered as a one-off exercise but relevant throughout the life cycle of your project), particularly if issues are identified which may affect the risk to the data protection rights of the affected individual

Check if you need to complete a DPIA

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

Take the screener to decide whether you need to conduct a DPIA.

DPIA Screener

When a DPIA is not required

The processing is not necessary to conduct a DPIA in all circumstances.

A DPIA would not be required where:

The processing is not likely to result in a high risk to data subjects’ rights;
The nature, scope, context and purposes of the processing are very similar to the processing for which a DPIA has already been carried out. Where a set of similar processing operations present similar high risks, a single DPIA may be undertaken to address all of those processing operations;
or Personal data is not being processed.

Who should complete a DPIA

In the context of a research project, the Chief Investigator, Principal Investigator, or Supervisor is normally responsible for ensuring the completion of a DPIA, as part of the research registration form. The DPO provide advice and recommendations in relation to DPIAs that are shared with them for review or comment. The DPO do not "approve" or "sign-off" on DPIAs. It is the responsibility of the Chief Investigator, Principle Investigator, or Supervisor to either accept, or overrule the recommendations provided by the DPO.

Note that in all cases, input and support from relevant third party data processors should be sought where applicable.

Download DPIA template

There are two types of DPIA templates available. Please select the version that best matches your project.

DPIA for professional services / general use.

We now provide an improved online DPIA form for the professional services/general DPIA, available through the LogicGate platform. It includes screening questions and is designed to make the process clearer and more user‑friendly. We acknowledge the form is new, and we welcome your feedback.

We have recently produced a new online form for the professional services / general use form, which can be found here:https://ucl.logicgate.com/

This includes screener questions. This from is intended to make the process more user friendly, and we welcome you to use this service. We acknowledged it is new, so if you identify issues with the form, or you have useful feedback, please let us know at data-protection@ucl.ac.uk so we can improve this service. If you prefer, you may still complete the DPIA using the Word based template:

DPIA Professional Services Fillable Form May 2022

When completing the DPIA, please refer to the accompanying guidance document to ensure all required sections are completed correctly.

DPIA Professional Services Guidance November 2020

DPIA for research

DPIA Research Fillable Form February 2021

If the data in scope of this DPIA will be processed within the UCL Data Safe Haven, the following will apply when completing the DPIA template below:
c) ❎ data is not encrypted at rest within the Data Safe Haven
d) ✅ data is encrypted when transferred in to and out of the Data Safe Haven
f) ✅ in addition to UCL’s mandatory training, information governance training is required for all users of the Data Safe Haven
m) ✅ data held and processed in the Data Safe Haven remains in the EEA
q) ✅ the Data Safe Haven provides restricted access controls

In all cases, you also need to take into account any other processes your data will be subject to that do not use the Data Safe Haven, such as transcription and data transfers.

Data Protection Impact Assessment form template

Further Information

Contact the Data Protection Team.

The ICO has also published guidance on DPIAs and When do we need to do a DPIA? To assit with making this determination.