Explore UCD

UCD Home >

Risk Assessments (DPIAs)

Risk Assessments (DPIAs)

What risks need to be assessed?
When UCD, or someone on behalf of UCD collects, stores or uses (i.e. processes) personal data, the individuals whose data are processed may be exposed to privacy risks. It is important that personal data is handled legally, securely, efficiently and effectively to deliver the best possible protection for data.

This risk-profile needs to be determined for each personal data processing operation or project carried out, taking into account the complexity and scale of data processing, the sensitivity of the data processed, and the protective measures required. It is important to identify the risk level of personal data processing operations on a case-by-case basis and to develop and implement risk mitigating measures from the outset.

Who needs to undertake the risk assessment?
If UCD (via the School or Unit) is the data controller, it is their (School/Unit) obligation to assess the risk, and where a DPIA is needed, to make sure it is done. If it is a joint controller project, i.e. a project that was designed collaboratively between UCD and other organisations, one /single DPIA for the entire project might suffice, but it needs to be seen by and agreed upon by all partners.

NOTE:It is important to keep in mind that the legal responsibility for a DPIA cannot be delegated or outsourced by the controller to either another controller or a processor. Any School or Unit must take on the risk assessment responsibility for their project and activities in the UCD context.

Data Protection Impact Assessment (DPIA)

What is a DPIA? 

DPIA stands for Data Protection Impact AssessmentIt is a tool designed to identify risks arising out of the processing of personal data, and to minimise these risks as far and as early as possible by introducing risk reducing measures. Every time you have a new project in UCD that involves personal data you must carry out an initial short risk assessment, which consequently might identify the need for a full DPIA, depending on the anticipated risk level.

DPIAs are important tools for mitigating risk, and for demonstrating our compliance with the GDPR. 

Further Information