Data Protection Impact Assessments (DPIAs) are a tool used to identify and mitigate against any risks associated with the processing of personal data. They can also help you develop more efficient and effective ways of handling personal data.
DPIAs are an element of 'data protection by design'. This involves considering data protection and privacy issues at the 'design' phase of a project, meaning they are built in to the process from the outset. For example, this might involve ensuring your system has a mechanism for dealing with requests for personal data, or flagging records for deletion inline with your records retention policy.
- The University stipulates that a DPIA must be carried out whenever a new project involves the use of personal data.
- The DPIA should be carried out towards the start of the project, and importantly before you start processing any personal data.
- As part of the DPIA process you will probably need to consult with the SGUL General Counsel, who will review any supplier contracts or other legal documentation associated with your project.
- It is also advisable to contact IT Services to check that there are no security or compatibility issues with new software, systems or technologies you are looking to implement.
- The DPIA should be treated as a 'living document' and updated over the lifecycle of your project, whenever any changes are made.
Our set of screening questions will help you establish whether you need to complete a DPIA or not.
You can find the Data Protection Impact Assessment form on the Information & Technical Security pages under Privacy By Design. You will also find the screening questions here.
For help filling out your DPIA please see the Guidance on completing a Data Protection Impact Assessment Form.
More detailed information about the DPIA process can be found in the Privacy By Design Procedure.