Data Protection Impact Assessment

Data Protection Impact Assessment

What is a DPIA?

A DPIA is a process which aims to identify risks arising out of the processing of personal data and to minimise those risks where possible. The final outcomes should be integrated back into your project plan.

Why are DPIAs important?

DPIAs are a vital tool for demonstrating compliance with data protection law and also for reducing risk of non-compliance and possible sanctions.

When to conduct a DPIA?

The GDPR does not require a DPIA to be carried out for every processing operation. The carrying out of a DPIA is mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms” of data subjects (Article 35 GDPR). For examples of risks please see Section D of our Guidelines for Conducting a DPIA.

A DPIA may be required if an existing processing activity changes and as a result presents a high risk to the rights of individuals. In cases where it is not clear whether a DPIA is required, it is still a useful tool to help TU Dublin comply with GDPR.

You should fill out the template at the start of any major project involving the use of personal data, or if you are making a significant change to an existing processing activity. The final outcomes should be integrated back into your project plan.

For further information on when to conduct a DPIA please see DPIA Criteria and Guidelines

How to conduct a DPIA?

When conducting a DPIA it is important to consider the following:

  • Describe the project: Identify the purpose, scope, duration and goals of the project.
  • Describe the envisaged processing: describe the nature, scope, context and purpose of the processing.
  • Describe your consultation with relevant stakeholders
  • Describe compliance and proportionality measures including Lawful Basis for processing
  • Identify the risks to the data subjects, the likelihood and severity of the risk and the impact of the risk.
  • Identify additional measures you could take to mitigate (reduce) or eliminate risks

For further information on how to conduct a DPIA, please see DPIA Criteria and Guidelines

Download the DPIA Form

Who to submit it to?

Please email your completed document to dataprotection@tudublin.ie

What’s next?

Once you have completed all the questions on the DPIA Form you should forward to the TU Dublin Information & Compliance Working Group who will review the DPIA and provide feedback on any risks identified and recommendations on the actions or controls needed to address those risks.

It is the responsibility of the project owner, Head of School/Function to ensure the required controls are put in place and to sign off on any risks arising from the processing.