Data protection impact assessments (DPIAs)

Guidance for staff on carrying out a data protection impact assessment (DPIA)

A DPIA is:

  • A tool/process to assist organisations in identifying and minimising the privacy risks of new projects, systems or policies
  • A type of impact assessment conducted by an organisation, auditing its own processes to see how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes
  • A tool/process to assist organisations in ensuring that all activities involving personal data are proportionate and necessary

 A DPIA is designed to accomplish three goals:

  • Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;
  • Determine the risks and effects; and
  • Evaluate protections and alternative processes to mitigate potential privacy risks.

When do I need to carry out a DPIA?

When you plan to:

  • Embark on a new project involving the collection of personal data;
  • Introduce new IT systems for storing and accessing personal information;
  • Participate in a new data-sharing initiative with other organisations;
  • Initiate actions based on a policy of identifying particular demographics;
  • Use existing data for a “new and unexpected or more intrusive purpose”;
  • Review or audit an existing system or activity.

Has a DPIA already been done for what I want to do?

You can check if a DPIA has been done for your project/system/policy on the Data Protection SharePoint Intranet.

List of Data Protection Impact Assessments

If a DPIA has already been completed for the specific processing or system you wish to use, you may be able to use that assessment as a basis rather than completing a new one. Please get in touch with the Data Protection Officer at to confirm.

If your legal basis is 'legitimate interest', you can find out here if a Legitimate Interest Assessment has already been done:

List of Legitimate Interest Assessments

Requesting a DPIA

When you need to conduct a DPIA, email the Data Protection Officer at and you will be assigned an assessment through our online tool. The assessment tool is a platform hosted by a third party but it will be accessed through Single Sign-On. When you request a DPIA from the Data Protection Officer, you need to provide your name and UUN as well as the names and UUNs of all those needing access to the DPIA. If external people require access, their name and email address are required. 

Student research

If you are a student and need to do a DPIA, then please download the template below together with the guidance. Upon completion, your academic supervisor will approve the DPIA. If you have already completed an ethics approval form which includes a DPIA, you do not need to complete this form.




The DPO has recorded a video on how to fill in the template with a spoof assessment. The link takes you to the Sharepoint site.


This guidance document describes in detail all the steps to be taken: 

DPIA guidance (1.06 MB / PDF)


If you require these documents in an alternative format, such as large print or a coloured background, please contact the Data Protection Officer on 0131 651 4114 or email