Skip to Content

Data Protection Impact Assessments (DPIA)

A Data Protection Impact Assessment (DPIA) is a way to identify, analyse and mitigate against risks associated with data protection.

The University must conduct a DPIA when processing of personal data is "likely to result in a high risk" to individuals; in particular the UK GDPR says a DPIA must be completed in the following circumstances:

  • Use of systematic and extensive profiling with significant effects;
  • Processing of special category or criminal offence data on a large scale; and/or
  • Systematically monitoring publicly accessible places on a large scale. 

In addition, the ICO requires a DPIA to be completed when:

  • using innovative technology;
  • use of profiling or special category data to decide of access to services;
  • profiling of individuals on a large scale;
  • processing biometric data;
  • processing genetic data;
  • matching data or combining datasets from different sources;
  • collecting personal data from a source other than the individual without providing them with a privacy notice - invisible processing;
  • tracking individuals' location or behaviour;
  • profiling children or target marketing of online services to them;
  • processing data that might endanger the individual's physical health or safety in the event of a security breach.

DPIAs are also a useful tool to demonstrate compliance with data protection principles and our statutory duty of data protection by design and default.  Therefore in addition to the above the University requires a DPIA to be completed when:

  • Conducting research with human participants were they can be directly identified and where the risks cannot be fully considered within an ethics application;
  • Collect and process new personal data and/or use personal data for a new purpose;
  • Introduction of new IT systems; and/or
  • Share data with other organisations or internally if this is a new and unexpected activity.

There may be other circumstances where a DPIA is beneficial.  Please contact the Information Compliance Unit - info.compliance@qub.ac.uk if you are unsure whether a DPIA is required. 

Data Protection Policy

DPIA Submission Form