DPIA

A DPIA would not be required where:

• The processing is not likely to result in a high risk to data subjects’ rights;
• The nature, scope, context and purposes of the processing are very similar to the processing for which a DPIA has already been carried out. Where a set of similar processing operations present similar high risks, a single DPIA may be undertaken to address all of those processing operations;
• or Personal data is not being processed.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process which helps to identify and mitigate potential risks to privacy and compliance with data protection law when processing personal data.

A DPIA enables organisations to identify and reduce the privacy risks of a project by analysing how the proposed uses of personal information and technology will work in practice

Whilst there was no statutory requirement to undertake DPIAs, under previous data protection policy template legislation, they are regarded as good practice by the UK Information Commissioner’s Office (ICO) and help to demonstrate compliance with existing data protection legislation. Under the new data protection legislation, in force from 25 May 2018, DPIAs are required for high risk processing activities.

We have developed this brief note on carrying out a DPIA, as it now forms part of our research registration process. This should assist researchers with making their own judgements for each project that they undertake which has potential privacy impacts.

When should a DPIA be considered

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

You should consider conducting a DPIA during the planning stage of new projects. A DPIA may also be required if changes are made to an existing project.

DPIAs must be updated as the process develops, particularly if issues are identified which may affect the risk to the data subject request management protection rights of the affected individual

Check if you need to complete a DPIA

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

Take the screener to decide whether you need to conduct a DPIA.

• DPIA Screener

When a DPIA is not required

The processing is not necessary to conduct a DPIA in all circumstances.

A DPIA would not be required where:

• The processing is not likely to result in a high risk to data subjects’ rights;
• The nature, scope, context and purposes of the processing are very similar to the processing for which a DPIA has already been carried out. Where a set of similar processing operations present similar high risks, a single DPIA may be undertaken to address all of those processing operations;
• or Personal data is not being processed.

Who should complete a DPIA

In the context of a research project, the Chief Investigator, Principal Investigator, or Supervisor is normally responsible for ensuring the completion of a DPIA, as part of the research registration form.

Note that in all cases, input and support from relevant third party data processors should be sought where applicable.

Of the many new measures imposed by the General Data Protection Regulation (GDPR Training), the requirements surrounding Data Protection Impact Assessments often cause the most confusion. Many business owners have no idea what the document is for or when it is required.

In this article, we’ll wade through the legalese to explain the complexities of Data Protection Impact Assessments so you can do your own successful assessment and document it in the best way possible.

What is the Purpose of a Data Protection Impact Assessment?

Data Protection Impact Assessments (DPIAs) are used to investigate, recognize, and mitigate potential risks to data before launching a new business endeavor or project.

By performing a DPIA before a new project, you can hope to:

• Better understand the data protection risks that will be faced during the project
• Calculate methods to decrease or eliminate those risks
• Decide if the benefits of the project outweigh data protection risks
• Prepare an informed statement that will disclose the risks of cookie consent to any individuals who will be affected