The DPIA Process - a step-by-step guide
How to complete a DPIA
Carrying out a DPIA is a process, not a stand-alone (or one off) document. The diagram (below) shows the different stages of carrying out a DPIA for you to follow.
University templates have been designed to help walk you through the DPIA process. The templates help you to identify the need a DPIA and then complete a DPIA:
- DPIA Initial Screening template (.docx): this allows you to assess whether you need to complete a DPIA and can also serve to record that you have carried out a screening test for your project.
- DPIA Risk Assessment Template (.docx): this allows you to evaluate any possible risk and also mitigate or eliminate such risks.
1. Identify need for a DPIA
Carry out an initial screening to see if you need to do a full DPIA by accessing the DPIA Initial Screening Checklist document.
2. Describe the processing
Explain the nature, scope, context and purpose of the data and the processing in respect of the data are understood. Utilise flow diagrams and standard operating procedures.
3. Consider consultation
You should consult with a range interested parties, including experts relating to the activity/processing you are considering; technical data protection experts such as Information Security or Information Governance colleagues and the views of the people whose data you intend to process.
4. Assess necessity and proportionality
Ensure you have a lawful basis for processing and that you can support the rights of the people whose data you intend to process. Check that the processing will achieve your purpose and consider safeguards to ensure there is no function creep.
5. Carry out a Risk Assessment
The process includes steps to identify, assess and plan actions to mitigate risks to the privacy and data protection of individuals. You should consider risks widely, including physical, material, and non-material types of risk. Risks could include economic loss, social harm, or wider impact on society, e.g. loss of public trust. Use the University's DPIA Template to help you gather and record details of risks, as well as note relevant sign-offs and actions.
6. Integrate outcomes into plan
Ensure your considerations, conclusions and actions arising from the DPIA are incorporated into a report. This may be incorporated into a report format connected with any project methodology or governance requirements already in use.
7. Keep under review
Ensure you keep track of any actions identified and once your processing is underway, test its operation against original purpose and data protection considerations.