• Approach to this
• What is a DPIA
• Annual reviews of this
• Include something about Change Control i.e. the IG is included in our change control systems and processes

As part of our principles of IG - we take a []

Data Protection Impact Assessments (DPIA)

What are DPIAs?

This enables us to identify the impact that any project might have on the rights of the public or staff (or any other relevant data subject). It also allows us to think about / possibly modify those plans if needed to address any privacy concerns.

When do I need to carry out a DPIA

DPIAs should be used whenever you’re implementing a new system or service, or changing the way in which an existing system/service works. If this applies and there is any processing of personal data, then you should aim to do a DPIA and keep it on file.

See the below diagram for more details:

If you’re unsure about the answer to question 2, filling in the first section of the questionnaire below will help to guide this, or you can ask one of the Key People.

How do I carry out a DPIAs?

The key to a DPIA is the DPIA Questionnaire. If you’ve determined that a DPIA is required, then you can go ahead and complete the questionnaire.

As you complete the DPIA, you should come up with how/why you’re accessing any sensitive data and also any plans to mitigate this.

Once that’s done, you should get approval for the DPIA from the DPO or the SIRO. Once signed off, you should file this document, start your work and implement any actions as laid out in the DPIA.

Any more info I might need?

For our full DPIA procedure and supporting documents, please see below: