Page content

Data Protection Impact Assessment guidance

  • What is a Data Protection Impact Assessment (DPIA)?

    A data protection impact assessment is a process to help identify and minimise the data protection risks of a project.

    It must be done for processing that is likely to result in a high risk to the rights and freedoms of individuals (this includes some specified types of processing) but is also good practice for any major project which requires the processing of personal data.

    DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. T

    he focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

    DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

  • When is one required?

    You must do a DPIA for processing that is likely to result in a high risk to individuals.

    The GDPR states that a DPIA shall, in particular, be carried out where the proposed processing involves:

    • using systematic and extensive profiling or automated decision-making to make significant decisions about people
    • processing special category or criminal offence data on a large scale
    • systematically monitoring publicly accessible places on a large scale

    The use of the words “in particular” demonstrates that there may be other situations where a DPIA ought to be carried out.

    The ICO also requires you to do a DPIA if you plan to:

    • use innovative technology
    • use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
    • profile individuals on a large scale
    • process biometric data
    • process genetic data
    • match data or combine or compare datasets from different sources
    • collect personal data from a source other than the individual without providing them with a privacy notice (or otherwise process such personal data)
    • process personal data in a way that involves tracking individuals’ location or behaviour
    • process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them
    • process personal data that might endanger the individual’s physical health or safety in the event of a security breach.

    You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

    Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

    If you are in any doubt about whether a DPIA is needed or not please contact the Office of the University Secretary by emailing gdpr@ulster.ac.uk