The Data Protection Impact Assessment (DPIA) is a tool which helps assess data protection and privacy risks to individuals in the collection, use and disclosure of information.
The core principles of conducting a DPIA can be applied to any project, initiative, system or process change which involves the use of personal data, or to any other activity which could have an impact on the privacy of individuals.
Please note, a DPIA is a living document. Therefore, once a DPIA has been completed and signed off, it is recommended that it is reviewed when any changes are made to the project, initiative, system or process change to ensure that the DPIA is still accurate.
A project which has included a DPIA at the very start of the project, and updated as the project progresses should result in the project being less privacy intrusive and therefore less likely to affect individuals in a negative way.
Data flows
Best data protection and privacy assessments give ample consideration to flows of data. A data flow map is a graphical representation of the data flow and includes:
Incoming and outgoing data.
Organisations and/or people sending/receiving information.
Storage for the ‘data at rest’ i.e. system, filing cabinet, encryption used.
Methods of transfer.
As part of completing a DPIA, the flow mapping of data must be recorded. Any risks identified by completing the DPIA must be entered onto the relevant organisation’s suitable risk register.
To support you with completing this DPIA template, you may wish to contact your IG lead who may be able to provide copies of completed DPIAs for similar projects. This may be helpful to set out the level of information that is required when completing a DPIA.
