Data Protection Impact Assessments 

A DPIA is a risk assessment, designed to identify, understand and manage data protection risks.

The University does not have to eliminate risk, but should minimise it and bring it within acceptable levels.

A DPIA must be carried out when processing likely to be high risk is planned. It can optionally be carried out for lower risk processing. 

It must be carried out before the processing begins, as its purpose is to identify and manage data protection risks. It is important to allow enough time to fully consider a DPIA as part of the planning for a new project or activity which will use personal data.

Yes. The DPIA screening tool includes guidance notes within the form to assist you when completing the screening process. 

You can also download the guidance notes to refer to separately: DPIA Screening Guidance Notes (MS Word , 13kb)

The University has adopted the template DPIA produced by the Information Commissioner’s Office. 

Using the DPIA screening tool will generate a DPIA template personalised to your project or activity, if one is required. 

If you require a blank copy of the template for reference, and are not currently undertaking a DPIA, please email dataprotection@york.ac.uk to request one.

For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor.

For all other projects, the DPIA should be undertaken by the project owner/lead.

Once you have completed the DPIA form, email dataprotection@york.ac.uk to request a review.

Once the review is complete, the Data Protection Officer will sign off the DPIA and you will be notified that your project or activity can go ahead.

When you use the online screening checklist your responses will be centrally recorded and emailed to you to keep with your project/activity records.