Accessibility statement

Data Protection Impact Assessments 

The UK GDPR requires the University to undertake a Data Protection Impact Assessment (DPIA) before carrying out ‘processing likely to result in a high risk to individuals’ interests’.

This page contains information to help you to decide whether a DPIA is needed, and to guide you through the process.

For additional support, email dataprotection@york.ac.uk

Use our online DPIA screening tool

1. What is a DPIA?

A DPIA is a risk assessment, designed to identify, understand and manage data protection risks.

The University does not have to eliminate risk, but should minimise it and bring it within acceptable levels.

2. When should a DPIA be carried out?

A DPIA must be carried out when processing likely to be high risk is planned. It can optionally be carried out for lower risk processing. 

It must be carried out before the processing begins, as its purpose is to identify and manage data protection risks. It is important to allow enough time to fully consider a DPIA as part of the planning for a new project or activity which will use personal data.

3. Is there guidance to help determine if a DPIA is needed?

Yes. The DPIA screening tool includes guidance notes within the form to assist you when completing the screening process. 

You can also download the guidance notes to refer to separately: DPIA Screening Guidance Notes (MS Word , 13kb)

4. Does the University have a template DPIA?

The University has adopted the template DPIA produced by the Information Commissioner’s Office. 

Using the DPIA screening tool will generate a DPIA template personalised to your project or activity, if one is required. 

If you require a blank copy of the template for reference, and are not currently undertaking a DPIA, please email dataprotection@york.ac.uk to request one.

5. Who is responsible for completing the DPIA?

For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor.

For all other projects, the DPIA should be undertaken by the project owner/lead.

6. Who is responsible for DPIA sign-off?

Once you have completed the DPIA form, email dataprotection@york.ac.uk to request a review.

Once the review is complete, the Data Protection Officer will sign off the DPIA and you will be notified that your project or activity can go ahead.

7. What should we do if we decide not to undertake a DPIA?

When you use the online screening checklist your responses will be centrally recorded and emailed to you to keep with your project/activity records.