• Back to previous menu
• Data Protection
• • Data Protection Impact Assessments
  • Data Protection Officer
  • Data Protection Policy
  • Information Asset Registers
  • Privacy Notice
  • Processing Personal Data
  • Reporting Data Breaches
  • Rights of Individuals
  • Requests for erasure of personal data
  • Transferring personal data outside the UK
  • Glossary
  • Research and Data Protection
  • Data protection training
  • Record of Processing Activities
  • Research Excellence Framework 2021 and data protection
  • Online Teaching and Data Protection
  • Data Protection Guidance for Email Correspondence
  • Disclosure of Personal Data Relating to Students
  • COVID-19 and Personal Data Collection
  • Special category and criminal offence data
  • Surveys and mailing lists

Data Protection Impact Assessments

A Data Protection Impact Assessment (‘DPIA’) is an assessment that helps us to identify and minimise the data protection risks of specific projects or particular areas of work. Under data protection legislation, we are required to do a DPIA if we intend to process personal data that is likely to result in a high risk to individuals. It is also good practice to do a DPIA for any major project which requires the processing of personal data.

The DPIA assesses the likelihood and severity of any risk and helps us to decide what measures and safeguards should be in place to mitigate those risks and to ensure the protection of personal data.

Processing that is likely to result in a high risk to individuals includes the following: 

• Evaluation or scoring, including profiling and predicting
• Automated decision making with legal or similar significant effect
• Systematic monitoring
• Processing involving sensitive data or data of a highly personal nature
• Data processed on a large scale
• Matching or combining datasets
• Data concerning vulnerable data subjects
• Innovative use or applying new technological or organisational solutions or
• When the processing itself prevents individuals from exercising their data rights or using a service or a contract.

To help you decide if a DPIA is necessary, you should complete the DPIA Screening questions. You can also seek advice from the University’s Data Protection Officer.

If you answer Yes to any of the questions, please contact the University’s Data Protection Officer who will be able to decide if a DPIA is required and advise on next steps.

If you decide that you do not need to complete a DPIA – all the questions are ‘No’ - you should document this decision along with your reasoning. So it is useful to keep a record of the completed questions.

Where a DPIA is needed, it must describe the nature, scope, context and purpose of the processing and identify and assess risks to individuals, as well as any measures that can be put in place to mitigate those risks.

The University has a DPIA template that should be completed – please contact the Data Protection Officer for a copy of the template who will also advise on the process and how to complete the assessment. There may also be other areas of the University and third parties that need to be consulted as part of the assessment process. This might include other Data Controllers and Processors, affected individuals and other relevant stakeholders.

Last updated 20 October 2023