Risk Assessments (DPIAs)

When UCD, or someone on behalf of UCD collects, stores or uses (i.e. processes) personal data, the individuals whose data are processed may be exposed to privacy risks. It is important that personal data is handled legally, securely, efficiently and effectively to deliver the best possible protection for data.

This risk-profile needs to be determined for each personal data processing operation or project carried out, taking into account the complexity and scale of data processing, the sensitivity of the data processed, and the protective measures required. It is important to identify the risk level of personal data processing operations on a case-by-case basis and to develop and implement risk mitigating measures from the outset.

If UCD (via the School or Unit) is the data controller, it is their (School/Unit) obligation to assess the risk, and where a DPIA is needed, to make sure it is done. If it is a joint controller project, i.e. a project that was designed collaboratively between UCD and other organisations, one /single DPIA for the entire project might suffice, but it needs to be seen by and agreed upon by all partners.

NOTE:It is important to keep in mind that the legal responsibility for a DPIA cannot be delegated or outsourced by the controller to either another controller or a processor. Any School or Unit must take on the risk assessment responsibility for their project and activities in the UCD context.