Division of General Counsel, Governance and Compliance

Data Protection Impact Assessments

A Data Protection Impact Assessment (‘DPIA’) is an assessment that helps the University to identify and minimise the data protection risks of specific projects or particular areas of work. Under data protection legislation, we are required to do a DPIA if we intend to process personal data that is likely to result in a high risk to individuals. It is also good practice to do a DPIA for any major project which requires the processing of personal data.

The DPIA assesses the likelihood and severity of any risk and helps us to decide what measures and safeguards should be in place to mitigate those risks and to ensure the protection of personal data.

Processing that is likely to result in a high risk to individuals includes the following: 

  • Evaluation or scoring, including profiling and predicting
  • Automated decision making with legal or similar significant effect
  • Systematic monitoring
  • Processing involving sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining datasets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technological or organisational solutions or
  • When the processing itself prevents individuals from exercising their data rights or using a service or a contract.

To help you decide if a DPIA is needed, please complete our DPIA Screening questions as a first. You can also seek advice from the University’s Data Protection Officer.

If you answer 'Yes' to any of the questions, please contact the University’s Data Protection Officer who will be able to decide if a DPIA is required and advise on next steps. If you decide that you do not need to complete a DPIA – all the questions are ‘No’ - you should document this decision along with your reasoning. So it is useful to keep a record of the completed questions.

Where a DPIA is needed, it must describe the nature, scope, context and purpose of the processing and identify and assess risks to individuals, as well as any measures that can be put in place to mitigate those risks.

Last updated 03 May 2024