The “DPIA” – No. 3

The “DPIA” – No. 3

Intro and comments

In order to meet the latest privacy legislation, we need to consider data risks early in the design stage of any project. This week we will be looking at the Data Protection Impact Assessment (DPIA) which is a tool which allows us to do this and which supports ‘privacy by design’.

A data protection impact assessment (DPIA) is an evaluation and analysis of the risk to data privacy which might result from any action carried out in your practice. It is often done in projects where personal data is being shared, but it can and should be considered in any significant undertaking where there may be a risk to sensitive data.

Most practices will not need to undertake a DPIA, as one has already been commissioned by the NWL IG group for the sharing of personal information for direct health care.  Please ask your CCG for a copy of this when a new service is procured where you are sharing data. But if there are any changes to the way you process or share data, or if you are looking to share data in new ways, you will be required to do one. We have listed the criteria you need to assess whether or not a DPIA needs to be done and given some examples.

Our practices will shortly be moving to new premises, so we decided to carry out a DPIA to look at any risk to our data which might result from that move. You can see this as an example DPIA in the output documentation section.

Lastly, before we move into the nitty-gritty of DPIAs I wanted to close a point related to last weeks blog on data registration and mapping. Do remember that the mitigation of any significant risks identified through our data maps will, in due course, be reflected in our practice policies, protocols, guidelines and procedures (which will be dealt with in blog 9).

Review of action points from the prior session:

If you have not already completed them, here is a reminder of the actions from last week:

  • To do 01: Appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to
  • To do 02: Review the email and GP GDPR resource pack sent on 24th May
  • To do 03: If you are happy to use the interim FPN supplied (which we recommend) then publish this to a Fair Process Notice section on your practice website, with links to your local CCG sharing website. Please note that even if you had already uploaded the interim FPN to your website, you should repeat this process with the latest document (v1.03) which contains minor revisions as per the version control section.
  • To do 04: Add a link to the A3 poster which points to the FPN section on your practice website and display the A3 Poster in your practice.
  • To do 05: Build an information asset register and map the flows of data in and out of your practice
  • To do 06: Consider using an online resource (e.g. Blue Stream Academy, there are others) which has a module on GDPR theory which practice staff can go through
  • To do 07: Let us know at intervals how you are progressing on these checklists

Work covered this week:

Our Practice Managers are learning each week, as well as doing!  So below is some background about the importance of privacy by design and Data Protection Impact Assessments.

A) Privacy by Design and DPIAs – a bit of background

The DPIA enables data controllers to ensure that services are compliant with GDPR and Data Protection Act 2018. It integrates core privacy considerations into existing project management and risk management methodologies and policies.

DPIAs identify the information risks in relation to personal data and special categories of data but can also be used to assess information risk surrounding business sensitive data.

Complete a DPIA:

  • when you are sharing information between organisations; or
  • for any new or changes made to projects, services, products or systems.

By incorporating the privacy by design approach, data controllers are able to use it as an essential tool to minimise privacy risks and build trust.

Benefits of a DPIA include:

  • potential problems are identified at an early stage when addressing them will often be simpler and less costly;
  • increased awareness of privacy and data protection across an organisation;
  • organisations are more likely to meet their legal obligations and less likely to breach GDPR and Data Protection Act 2018;
  • actions are less likely to be privacy intrusive and have a negative impact on individuals; and
  • establish data processing instructions required within contracts or if Data Sharing Agreements need to be drafted.

B) Should I do a Data Protection Impact Assessment (DPIA)?

We used a data processing flow map, to assess if we needed to complete a DPIA.  Our two GP practices will be moving to new premises and under GDPR, this significant change requires us to complete a DPIA.

Below are some examples of when you need to complete a DPIA and when you don’t, and the DPIA Process Flow map we used.

Action point: 

Check to see if you need to undertake a DPIA, using the DPIA Process Flow Map and examples above.

If you are not sure if you need to complete a DPIA, enquire through the  Support Email

C)  How do I complete a Data Protection Impact Assessment?

Our consultants provided us with a DPIA template, and we worked through each of the tabs in turn to identify the information risks.  We have included a copy of our completed DPIA to help guide you through the process, as well as a template for you to complete (if necessary).

  • Complete tab one – Project details and provide an explanation of the new or change to process, service, product or system.
  • Complete the screening questions. If you have a ‘red’ answer you will need to complete each DPIA sheet/tab. If your answers are ‘green’ you do not need to complete the other DPIA sheet/tabs. This will be your evidence to demonstrate there are no information risks.
  • Complete DPIA Questionnaire 1 – and make notes against your answers.
  • Complete DPIA Questionnaire 2 – using the information you answered within screening ‘red’ and questionnaire 1, complete the questions (questionnaire 2) providing as much information as possible.

With all your answers, you should have identified the information risks. Complete the information risks and associated mitigating actions within sheet/tab 4.

Your Practice Data Protection Officer would normally review and approve the completed DPIA. However, as we are currently using an interim DPO we suggest that you engage your practice Caldicott Guardian in this process. If there are problems or questions please make any enquiries through the Support Email

. We anticipate that most practices will not need to undertake a DPIA, but where one has been done and requires formal approval this can be obtained through their DPO.

Actions must be completed and documented, to show compliance with GDPR and the Data Protection Act 2018.

Resources used

Output documentation:

Learning points:

  • Consider any changes or new projects that might have an impact on how you share or process information – always check to see if you need to complete a DPIA

Practice checklist:

  • To do 08  Assess whether you need to complete a DPIA using the DPIA Process Flow Map
  • To do 09  Complete the DPIA (only if necessary)
  • To do 10   Practice Data Protection Officer to review and approve DPIA (if complete Action 09)
  • To do 11    Action and document mitigation actions from DPIA (if complete Action 09)

Work planned for next session on 05.07.18

  • Review current processes for meeting individual rights to ensure compliance with GDPR and Data Protection Act 2018

Comments are closed.