General Data Protection Regulation (GDPR)
The University provides guidance on the General Data Protection Regulation (GDPR) requirements including links to the Information Protection Policy, FAQs and Top Tips. Essential, mandatory training for all staff is completed as part of the induction process for new starters through Information Security Essentials.
More information on data protection at the University of Leeds is available on the Data Protection website.
Some initiatives will deal with personal data that falls under the data protection and privacy issues outlined by GDPR. A Data Protection Impact Assessment (DPIA) is a tool which helps to assess the data protection and privacy risks to individuals in the collection, use and disclosure of information. Completing a DPIA will identify and outline how to minimise these risks. It is a requirement for all initiatives to complete a screening checklist to evaluate if it is necessary to complete a full DPIA.
The DPIA will:
- Describe the nature, scope, context and purposes of the processing
- Assess necessity, proportionality and compliance measures
- Identify and assess risks to individuals
- Identify any additional measures to mitigate those risks
© ICO GDPR guidance: Data Protection Impact Assessment (DPIAs)
A DPIA is a flexible tool, and follows a process that will be monitored and reviewed throughout the initiative delivery.
Several downloads are available to support you in completing the DPIA.
Data Protection Impact Assessment FAQs
Why do I need to complete a Data Protection Impact Assessment (DPIA)?
A DPIA helps identify data privacy risks when planning new (and revising existing) projects and to identify actions to mitigate these risks.
A DPIA should be carried as it is a useful tool to help organisations comply with data protection law. A DPIA is required:
- Where data processing is likely to result in a high risk of harm to individuals (for example new technology is used)
- Large volumes of data are processed
- The data is sensitive
- The University conducts profiling activities leading to decisions which produce legal effects for individuals (such as credit screening), or where the University monitors publicly accessible areas (for example CCTV).
Where high risks cannot be mitigated, it may be necessary for the Data Protection Officer to consult with the Information Commissioner's Office (ICO) prior to processing. The University can be fined for not doing so.
Failing to carry out a DPIA correctly or failing to consult the competent supervisory authority where required can result in a fine.
When should I complete this DPIA?
The DPIA should be started as early as practical in the design of the data processing operation. It should be considered from the project outset, during planning, and prior to any contractual negotiations, while there is still time to influence the project design.
The DPIA should be carried out prior to processing personal data as part of the project.
Who should complete this DPIA?
The controller (that is the University) is responsible and remains ultimately accountable for ensuring that the DPIA is carried out.
The University Project Manager should complete this DPIA, in consultation and agreement with the Business Lead and University Sponsor.
The University's Data Protection Officer should be consulted where risks cannot be mitigated.
Relevant stakeholders (internal and external) should be consulted throughout the DPIA process to assist in identifying privacy risks.
How should a DPIA be completed?
A process, template and guidance is available to support the completion of a DPIA, with further information available on the University Data Protection website.
It is important to note that the intensity of a DPIA should be proportionate to the size of the project and the related privacy risk. Account should be taken of the nature, scope, context and purpose of the data processing.