Data Protection Impact Assessments (DPIA's)

A new requirement under GDPR, is the process of conducting DPIAs for any new high risk processing projects. 

A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR introduces mandatory DPIAs for those organisations involved in high-risk processing; for example, where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.

Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process.

The Data Protection Commissioner has issued detailed guidance on DPIAs:


What is UCC doing about DPIAs?

As part of UCC’s GDPR Project, the University will be developing guidance for staff and templates to be used to carry out DPIAs.

A procedure and template, aligned with the University’s risk management methodology, will be created in consultation with the University Risk Manager and the functional areas who are likely to need to perform PIAs.

For further information, please contact Catriona O’Sullivan, Information Compliance Officer at

Office of Corporate and Legal Affairs

1 st Floor, East Wing, Main Quadrangle,