What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a process to help you identify risks arising out of the processing of personal data and to minimise those risks where possible.

What is "personal data"?

Personal data is anything that could identify a living individual, or which is related to an identifiable living individual. We are most familiar with things like: name, date of birth, address, gender, marital status, etc., but 'personal data' could be anything that helps you identify someone. The full definition under GDPR is available here.
 
Why are DPIAs important?

DPIAs are a vital tool for demonstrating compliance with data protection legislation and also for reducing the risk of non-compliance and possible sanctions. A DPIA is a legal requirement where there may be a risk involving how you process the personal data of any individuals. Those individuals might be staff or students of MU; they might be research subjects in various projects; they may be survey participants for a study by students. The common denominator is that if you deal with personal data you may have to fill out a DPIA for a proposed project, whether research, or getting a new piece of software in, or engaging with an external third party supplier to the University.
 
When to conduct a DPIA?

The GDPR does not require a DPIA to be carried out for every processing operation. However, they are mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms” of data subjects (Article 35 GDPR).

A DPIA may be required if an existing processing activity changes and as a result presents a high risk to the rights of individuals, for instance if an office or department changes how they deal with personal data in a significant way. In cases where it is not clear whether a DPIA is required, please complete the DPIA Pre-Screening form below, or contact the Data Protection Office at [email protected].

You should fill out the DPIA Form at the start of any major project involving the use of personal data, or if you are making a significant change to an existing processing activity. The final outcomes should be integrated back into your project plan. 

If you would like additional information on DPIAs, please read the Guidance Note from the Data Protection Commission website.

 
How to conduct a DPIA?

When conducting a DPIA it is important to consider the following points:

  • Describe the project: Identify the purpose, scope, duration and goals of the project.
  • Describe the envisaged processing: describe the nature, scope, context and purpose of the processing.
  • Describe your consultation with relevant stakeholders
  • Describe compliance and proportionality measures including Lawful Basis for processing
  • Identify the risks to the data subjects, the likelihood and severity of the risk and the impact of the risk.
  • Identify additional measures you could take to mitigate (reduce) or eliminate risks 

Here is a link to MU's current  Data Protection Impact Assessment (DPIA)  form
 
Who to submit it to?

Please email your completed document to [email protected].
Please attach copies of relevant documentation including Consent Forms, Patient Information Leaflets, etc.
 
What’s next?

Once you have completed all of the questions on the DPIA Form, you should forward it to the MU Data Protection Office who will review the DPIA and provide feedback on any risks identified and recommendations on the actions or controls needed to address those risks.

Note: It is the responsibility of the Project Owner / Head of School / Head of Office Unit / Research Principal Investigator to ensure the required controls are put in place and to sign off on any risks arising from the processing.
 
DPIA Pre-Screening Form

If you are still unsure about whether or not you need to do a DPIA, please fill out this form. We will review your answers and get back to you as soon as possible.