SOAS University of London

Data Protection Impact Assessment Guide

  1. Introduction
  2. Screening checklist
  3. What do we include in a DPIA?
  4. What is the objective of a DPIA?
  5. Are there any further steps?
  6. Definitions
Introduction

A Data Protection Impact Assessment (DPIA) is a type of risk assessment for personal data. We carry out a DPIA to identify and minimise the data protection risks of a project. The type of projects which might require a DPIA are:

  • Procuring a new content management system or customer relationship management system, or other IT platform that will be used to process large volumes of personal data
  • Introducing a new service which will involve processing personal data for new purposes
  • Undertaking a research project that will involve processing special category personal data, or processing personal data in less stable political climates.
  • Undertaking any form of project, research of otherwise, which involves profiling individuals with the intention of making decisions which could have significant effects, or where new technologies are used.

We must carry out a DPIA for any processing that is likely to result in a high risk to individuals. To determine whether processing is high risk, staff should carry out a screening exercise, asking questions about the nature of the processing needed to fulfil the objectives of the project. The type of questions you need to ask are in the section below.

When assessing the overall risk level of a processing activity, the factors considered will be the likelihood of the risk occurring, and the severity of the impact on the individual.

If you are planning a project which is likely to involve large scale processing of personal data, where individuals might be profiled through automated decisions or using special category data, where we plan to use new or innovative technologies, or where data might be combined, compared or matched from various sources, then you should get in touch with the Information Compliance Manager about carrying out a DPIA. Please email do6@soas.ac.uk or dataprotection@soas.ac.uk, or call 020 7898 4817.

Screening Checklist

At SOAS we will always carry out a DPIA if:

  • Use systematic or extensive profiling or automated decision-making to make significant decisions about people, particularly where those decisions produce legal effects on the individual
  • Process special category or criminal offence data, or data of a highly personal nature (which may include financial data) on a large scale
  • Systematically monitor a public space on a large scale
  • Use new or innovative technologies or organisational solutions, such as fingerprint recognition or retina scanning
  • Use profiling, automated decision-making or special category data to help make decisions about someone’s access to a service, opportunity or benefit
  • Carry out profiling on a large scale
  • Combine, compare or match data from multiple sources
  • Process personal data without providing a privacy notice directly to the individual.
  • Process personal data in a way which involves tracking an individual’s online or offline location or behaviour
  • Process personal data which could result in a risk of physical harm in the event of a security breach

We will also consider carrying out a DPIA for any project which involves processing personal data on a large scale.

If there is a change to the nature, scope, context or purposes of our processing, we will carry out a new DPIA.

What do we include in a DPIA?

Article 35 of the General Data Protection Regulation informs Data Controllers what they should include in a DPIA. There are four main requirements which need to be met, each relating to a stage in the process. The sequence of the process is outlined in the numbered list below:

  1. A systematic description of the processing must be provided. This must include a description of the nature, scope, context and purposes of the processing
  2. Interested parties must be involved and consulted, for example the Data Protection Officer and data subjects or their representatives
  3. The necessity and proportionality of the processing must be assessed, taking into account the lawful conditions of processing, the data protection principles, and facility for individuals to exercise their rights as data subjects
  4. Risks to the rights and freedoms of data subjects are managed, taking into account the origin, nature, particularity and severity of each risk

SOAS has a template for carrying out a DPIA, which is scalable and can be adapted for different projects. The template can be downloaded here: Data Protection Impact Assessment Template (msword; 76kb)  

What is the objective of a DPIA?

A DPIA is not a process of eliminating all data privacy risks which might be identified when initiating a project. The aim of a DPIA is to identify where the data protection risks to individuals lie, and what solutions can be adopted to reduce the level of risk from high to medium or low, or even to eliminate the risk completely.

Once the first four stages of the DPIA process have been completed, the School must get sign off on each of the identified risks and the remedial solution proposed. The sign off should come from the Information Asset Owner. Typically, this will be the Director of Professional Services, Deputy COO or Head of Department.

The project team should ensure that the outcomes of the DPIA are integrated into the wider project plan, and they will be responsible for keeping the DPIA under review to ensure that the outcomes are implemented.

Are there any further steps?

If the DPIA successfully reduces the data protection risks from a high level to a lower level, we do not need to inform the Information Commissioner’s Office (ICO). However, if after completing the DPIA process the level of risk is still high, the ICO must be consulted. SOAS would not be allowed to begin processing until the consultation period has ended, and this will generally take six to eight weeks (although a further six weeks may be needed in complex cases). The ICO will let us know in writing whether the risks are acceptable, or whether they want us to take further action. In some cases the ICO may tell us not to go ahead with the processing if they conclude that it would breach data protection law.

Definitions

High risk: Processing is likely to be considered high risk if done for any of the purposes set out in the screening stage.

Large scale: For the purposes of the DPIA process, SOAS should consider the following factors when deciding whether processing is ‘large scale':

  1. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
  2. the volume of data or the range of different data items being processed;
  3. the duration or the permanence of the data processing activity, and
  4. the geographical extent of the processing activity.