A DPIA is:
- A tool/process to assist organisations in identifying and minimising the privacy risks of new projects, systems or policies
- A type of impact assessment conducted by an organisation, auditing its own processes to see how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes
- A tool/process to assist organisations in ensuring that all activities involving personal data are proportionate and necessary
A DPIA is designed to accomplish three goals:
- Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;
- Determine the risks and effects; and
- Evaluate protections and alternative processes to mitigate potential privacy risks.
When do I need to carry out a DPIA?
When you plan to:
- Embark on a new project involving the collection of personal data;
- Introduce new IT systems for storing and accessing personal information;
- Participate in a new data-sharing initiative with other organisations;
- Initiate actions based on a policy of identifying particular demographics;
- Use existing data for a “new and unexpected or more intrusive purpose”;
- Review or audit an existing system or activity.
Has a DPIA already been done for what I want to do?
You can check if a DPIA has been done for your project/system/policy on the Data Protection SharePoint Intranet.
List of Data Protection Impact Assessments
If a DPIA has already been completed for the specific processing or system you wish to use, you may be able to use that assessment as a basis rather than completing a new one. Please get in touch with the Data Protection Officer at dpo@ed.ac.uk to confirm.
If your legal basis is 'legitimate interest', you can find out here if a Legitimate Interest Assessment has already been done:
List of Legitimate Interest Assessments
Requesting a DPIA
When you need to conduct a DPIA, email the Data Protection Officer at dpo@ed.ac.uk and you will be assigned an assessment through our online tool. The assessment tool is a platform hosted by a third party but it will be accessed through Single Sign-On. When you request a DPIA from the Data Protection Officer, you need to provide your name and UUN as well as the names and UUNs of all those needing access to the DPIA. If external people require access, their name and email address are required.