Page content

Data Protection Impact Assessment guidance

  • What is a Data Protection Impact Assessment (DPIA)?

    A data protection impact assessment is a process to help identify and minimise the data protection risks of a project.

    It must be done for processing that is likely to result in a high risk to the rights and freedoms of individuals (this includes some specified types of processing) but is also good practice for any major project which requires the processing of personal data.

    DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. T

    he focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

    DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

  • When is one required?

    You must do a DPIA for processing that is likely to result in a high risk to individuals.

    The GDPR states that a DPIA shall, in particular, be carried out where the proposed processing involves:

    • using systematic and extensive profiling or automated decision-making to make significant decisions about people
    • processing special category or criminal offence data on a large scale
    • systematically monitoring publicly accessible places on a large scale

    The use of the words “in particular” demonstrates that there may be other situations where a DPIA ought to be carried out.

    The ICO also requires you to do a DPIA if you plan to:

    • use innovative technology
    • use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
    • profile individuals on a large scale
    • process biometric data
    • process genetic data
    • match data or combine or compare datasets from different sources
    • collect personal data from a source other than the individual without providing them with a privacy notice (or otherwise process such personal data)
    • process personal data in a way that involves tracking individuals’ location or behaviour
    • process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them
    • process personal data that might endanger the individual’s physical health or safety in the event of a security breach.

    You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

    Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

    If you are in any doubt about whether a DPIA is needed or not please contact the Office of the University Secretary by emailing

  • When should a DPIA be carried out?

    A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It can be reviewed and updated as your project develops.

    This enables the University to implement ‘data protection by design and default’.

  • What should it contain?

    A DPIA must:

    • describe the nature, scope, context and purposes of the processing
    • assess necessity, proportionality and compliance measures
    • objectively identify and assess risks to individuals
    • Identify any additional measures to mitigate those risks.

    To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

    Any measures identified must be integrated into your project plan.

    The ICO have provided a template which you can use.

  • Who should be involved?

    Once you have read the guidance notes listed on this page, please complete a Data Protection Impact Assessment (DPIA) form if required.

    If you are in any doubt about whether a DPIA is needed or not please contact the Office of the University Secretary by emailing

    If new technology is being used then the relevant ISD staff also need to be contacted before any purchase and when completing the DPIA.

    If the University is involving a data processor [an external person/ entity acting on our instructions] then they should assist you in the completion of the DPIA.

    If it is appropriate to do so, you should also seek the views of the individuals whose personal data is to be processed.

  • What if the project is high risk even after measures have been identified?

    If the University identifies a high risk that it cannot mitigate, the Office of the University Secretary will consult the ICO before starting the processing.

    The ICO will give written advice within eight weeks, or 14 weeks in complex cases.

  • What happens after a DPIA has been completed?

    DPIAs should be kept under review and revisited when necessary.

Please email for further guidance as required.