What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process which aims to identify risks arising out of the processing of personal data and to minimise those risks where possible. DPIAs are important tools for negating risk and demonstrating compliance with GDPR.
Why are DPIAs important?
DPIAs are a vital tool for demonstrating compliance with data protection legislation and also for reducing risk of non-compliance and possible sanctions. They also ensure a ‘privacy by design’ approach is adopted to any project/process.
When to conduct a DPIA?
The GDPR does not require a DPIA to be carried out for every processing operation. The carrying out of a DPIA is mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms” of data subjects (Article 35 GDPR).
You should conduct a DPIA at the start of any major project involving the use of personal data, or if you are making a significant change to an existing processing activity. A DPIA Initial Assessment should be conducted to ascertain if a full DPIA is required for your project/processing activity if you are unsure if your project processes personal data.
For further information on when to conduct a DPIA please see Data Protection Impact Assessments | Data Protection Commissioner
How to conduct a DPIA?
When conducting a DPIA it is important to consider the following:
- Describe the project: Identify the purpose, scope, duration and goals of the project.
- Describe the envisaged processing: describe the nature, scope, context and purpose of the processing.
- Describe your consultation with relevant stakeholders.
- Describe compliance and proportionality measures including Lawful Basis for processing.
- Identify the risks to the data subjects, the likelihood and severity of the risk and the impact of the risk.
- Identify additional measures you could take to mitigate (reduce) or eliminate risks.
DPIA Form
Please email dataprotection@tudublin.ie who will provide the link to complete the online DPIA Form.
What’s next?
Once you have completed all the questions on the DPIA Form the TU Dublin Information Governance team who will review the DPIA and provide feedback on any risks identified and recommendations on the actions or controls needed to address those risks.
It is the responsibility of the project owner, Head of School/Service Area to ensure the required controls are put in place and to sign off on any risks arising from the processing.