Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process designed to help all organisations identify and minimize any risks to privacy posed by new or changed services, procedures or policies. Such data protection and privacy obligations are a key part of the new data protection legislation and its emphasis on ‘privacy by design’, which means that all new processes should consider the implications for data protection and privacy from the start, and not deal with them as an after-thought.  

DPIAs are mandatory under the UK General Data Protection Regulation (UK GDPR) for processes and technologies that are likely to result in higher or altered risks to the rights of data subjects. 

The Information Commissioner’s Office (ICO) advises that they should be built into an organisation’s procedures as an “integral part of taking a privacy by design approach”.  DPIAs can help identify and remedy data privacy or security issues at an early stage.

The ICO has detailed web pages containing information and advice regarding DPIAs:  https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

In order to establish whether a DPIA is required, please complete this form Data Protection Impact Assessment Screening Form

If a DPIA is necessary, you will, at the very least, need to complete the assessment form Data Protection Impact Assessment

For more specific advice please contact Information Governance at infogovernance@aber.ac.uk