Risk Assessments (DPIAs)
What risks need to be assessed?
When UCD, or someone on behalf of UCD collects, stores or uses (i.e. processes) personal data, the individuals whose data are processed may be exposed to privacy risks. It is important that personal data is handled legally, securely, efficiently and effectively to deliver the best possible protection for data.
This risk-profile needs to be determined for each personal data processing operation or project carried out, taking into account the complexity and scale of data processing, the sensitivity of the data processed, and the protective measures required. It is important to identify the risk level of personal data processing operations on a case-by-case basis and to develop and implement risk mitigating measures from the outset.
Who needs to undertake the risk assessment?
If UCD (via the School or Unit) is the data controller, it is their (School/Unit) obligation to assess the risk, and where a DPIA is needed, to make sure it is done. If it is a joint controller project, i.e. a project that was designed collaboratively between UCD and other organisations, one /single DPIA for the entire project might suffice, but it needs to be seen by and agreed upon by all partners.
NOTE:It is important to keep in mind that the legal responsibility for a DPIA cannot be delegated or outsourced by the controller to either another controller or a processor. Any School or Unit must take on the risk assessment responsibility for their project and activities in the UCD context.
Data Protection Impact Assessment (DPIA)
What is a DPIA?
DPIA stands for Data Protection Impact Assessment. It is a tool designed to identify risks arising out of the processing of personal data, and to minimise these risks as far and as early as possible by introducing risk reducing measures. Every time you have a new project in UCD that involves personal data you must carry out an initial short risk assessment, which consequently might identify the need for a full DPIA, depending on the anticipated risk level.
DPIAs are important tools for mitigating risk, and for demonstrating our compliance with the GDPR.
How to determine what assessment is required for your project:
For links in the image above, please see as follows:
- (opens in a new window)Screening Questions
- (opens in a new window)UCD Data Protection Impact Assessment (DPIA) Template (UCD Full DPIA)
- (opens in a new window)UCD Risk Assessment for Low-risk Projects
Submitting a DPIA to the UCD DPIA Committee?
- Complete the (opens in a new window)Check-List BEFORE Submitting your DPIA to the UCD DPIA Committee
- Check the (opens in a new window)UCD DPIA Committee Meeting Schedule and Submission Deadlines.
Further Information
- (opens in a new window)UCD Short Guide to DPIAs & Risk Assessments for Low-Risk Projects (including all relevant links and templates)*
- (opens in a new window)UCD Data Protection Impact Assessment (DPIA) Template
- (opens in a new window)UCD DPIA Committee Meeting Schedule & Submission Deadlines
- (opens in a new window)CHECK-LIST BEFORE SUBMITTING YOUR DPIA TO THE UCD DPIA COMMITTEE
- International Data Transfers
- (opens in a new window)UCD - FAQs to Transfer Impact Assessments (TIAs) *
- (opens in a new window)UCD - Template for (international) Transfer Assessment (TIA) / Transfer Risk Assessment (TRA)