Risk Assessments (DPIAs)
Risk Assessments (DPIAs)
What risks need to be assessed?
When UCD, or someone on behalf of UCD collects, stores or uses (i.e. processes) personal data, the individuals whose data are processed may be exposed to privacy risks. It is important that personal data is handled legally, securely, efficiently and effectively to deliver the best possible protection for data.
This risk-profile needs to be determined for each personal data processing operation or project carried out, taking into account the complexity and scale of data processing, the sensitivity of the data processed, and the protective measures required. It is important to identify the risk level of personal data processing operations on a case-by-case basis and to develop and implement risk mitigating measures from the outset.
Who needs to undertake the risk assessment?
If UCD (via the School or Unit) is the data controller, it is their (School/Unit) obligation to assess the risk, and where a DPIA is needed, to make sure it is done. If it is a joint controller project, i.e. a project that was designed collaboratively between UCD and other organisations, one /single DPIA for the entire project might suffice, but it needs to be seen by and agreed upon by all partners.
NOTE:It is important to keep in mind that the legal responsibility for a DPIA cannot be delegated or outsourced by the controller to either another controller or a processor. Any School or Unit must take on the risk assessment responsibility for their project and activities in the UCD context.
Data Protection Impact Assessment (DPIA)
What is a DPIA?
DPIA stands for Data Protection Impact Assessment. It is a tool designed to identify risks arising out of the processing of personal data, and to minimise these risks as far and as early as possible by introducing risk reducing measures. Every time you have a new project in UCD that involves personal data you must carry out an initial short risk assessment, which consequently might identify the need for a full DPIA, depending on the anticipated risk level.
DPIAs are important tools for mitigating risk, and for demonstrating our compliance with the GDPR.
Further Information
- (opens in a new window)UCD Short Guide to DPIAs & Risk Assessments for Low-Risk Projects (including all relevant links and templates)*
- (opens in a new window)UCD Data Protection Impact Assessment (DPIA) Template
- (opens in a new window)UCD DPIA Committee Meeting Schedule & Submission Deadlines
- International Data Transfers
- (opens in a new window)UCD - FAQs to Transfer Impact Assessments (TIAs) *
- (opens in a new window)UCD - Template for (international) Transfer Assessment (TIA) / Transfer Risk Assessment (TRA)