Data Protection Impact AssessmentStep 2 – Process, Risks, Review & Recommendations

PurposeThe primary purpose of a Data Protection Impact Assessment (DPIA) is to identify whether what is being proposed gives rise to any ‘High Risks’ from a data privacy perspective, to document those risks and to mitigate them where possible. Under GDPR, the University has a legal obligation to perform a DPIA in certain circumstances in relation to a proposed project, process or research proposal (all of which are collectively referred to as ‘projects’ hereinafter) where there is an intention to collect, create or use personal data. The University may also insist that a DPIA is completed where, in the opinion of the Data Protection Unit (DPU), one is needed in order to ascertain the specific personal data protection implications of a project. If it is not possible to mitigate a project’s data protection risks to an acceptable level then the intended project may have to be substantially altered, or even discontinued.

Instructions The first step in the process is to complete the separate DPIA Screening Questionnaire and have it assessed by the DPU. Where on review of that questionnaire it is then considered necessary to proceed to a DPIA, the second step in the process is to complete this DPIA, return it to the DPU for assessment and await feedback before beginning to collect or process any personal data as part of the project. The DPIA seeks to identify the data protection issues to be addressed at an early stage in the project followed by an assessment of its related data protection risks. Please complete sections (A), (B) & (C) in full. Do not leave blank spaces; if a section or question is not relevant or applicable then state ‘N/a’. Once complete, this DPIA in a Microsoft Word format, along with any additional documentation you feel relevant, is to be returned to the DPU at data.protection@dcu.ie. The DPU which will then assess the DPIA, document the risks in section (D) and will advise you of its recommendations which may entail changes to the project.

Note on Section (C) - Health Research If a project is deemed to be ‘Health Research’ then the completion of a DPIA (i.e. as per Step # 2 of the process) is a mandatory legal requirement. Therefore you must also complete Section (C) of this Screening Questionnaire, even if you do not believe the project falls within the area of ‘Health Research’.

Responsibility Where a DPIA is deemed necessary, following Step # 1 of the process, it is the responsibility of the relevant Head of Unit in the case of a proposed new or upgraded process, system or project, or the Principal Investigator in the case of a research proposal, to ensure that the DPIA is completed and returned to the DPU for assessment. The actual completion of the DPIA may be delegated to another member of the unit, or research team, who is familiar with the project and who also ideally has an understanding of the law regarding personal data and good data management practices. While the DPU will assist with queries on the completion of a DPIA, you are encouraged in the first instance to also seek the advice of the GDPR Data Advocate for your unit, a list of whom can be obtained from the DPU Webpage. Ideally, all relevant stakeholders involved in the project should also be consulted where appropriate when completing the DPIA to ensure it is comprehensive and accurate.

When to do a DPIAIf a DPIA is deemed necessary by the DPU then its completion should take place as early as possible in the life cycle of the project, once the project parameters are known and crucially before any personal data is collected or processed (to comply with the GDPR Principle of ‘Data Privacy by Design’). If the project is a research proposal then DPIA should be completed in advance of applying for funding as there may be substantial financial costs in complying with good data governance and GDPR that should be factored into the application.

What happens to a completed DPIA?The DPU will consider the risks highlighted by the DPIA and, if appropriate, provide you with recommendations to be incorporated into the project. The final DPIA is to be held with the project’s records and a copy will be retained by the DPU.

Other points to note1) Freedom of Information (FOI)DCU is subject to FOI legislation. This DPIA, like all records of the University, may be subject to an FOI request. 2) Changes to a projectIf there are any material changes to the project as it progresses there may be a need to revise the DPIA. Should this arise please consult with the DPU. 3) Text in ItalicsThroughout this DPIA any text in italics is provided to assist and guide you in answering the questions asked.4) Screening QuestionnaireWhen completing any section in this DPIA you are free to re-enter any details or information already noted in the separate screening questionnaire where completed in line with step # 1 of the DPIA process.

1 | P a g e

CONTENTSSection A - Key Project Information / Details.......................................................................................................................................................................................3

Section B - GDPR Principles Alignment................................................................................................................................................................................................ 4

1) Describe the nature of the proposed data processing.............................................................................................................................................................4

2) Lawfulness of the proposed data processing...........................................................................................................................................................................7

3) Transparency & Awareness....................................................................................................................................................................................................12

4) Reuse of Existing Data............................................................................................................................................................................................................ 13

5) Ensuring the accuracy of the Personal Data being processed................................................................................................................................................14

6) Assessing the necessity of the proposed data processing......................................................................................................................................................15

7) Data Security.......................................................................................................................................................................................................................... 16

8) Data Retention....................................................................................................................................................................................................................... 18

9) Catering for the data rights of individuals..............................................................................................................................................................................18

Section C – Health Research.............................................................................................................................................................................................................. 20

Section D – Risk Assessment & Mitigation......................................................................................................................................................................................... 20

2 | P a g e

SECTION A - KEY PROJECT INFORMATION / DETAILS

Ref Detail Required Answer

1 Project Title

2 Name of Head of Unit or Principal Investigator Name: DCU Unit:

3 Your own details Name: Position / Title: DCU Unit:

4 Date of completion of this DPIA

5 Why, in your opinion, do you believe a DPIA is needed for this project?

Reasons might be: a) the completion of the Step # 1 Screening Questionnaire indicated a DPIA is necessary;b) my Unit’s GDPR Data Advocate or the DPU requested it; c) this research project is similar to existing processing carried out by the research team and as such it is understood that for similar reasons the research falls under the definition of ‘high risk’ processing;d) relevant sections of the Data Protection guidance are quoted in support of the decision to carry out a DPIAe) Other?

3 | P a g e

6 Please confirm whether you have attended or taken:

a) the ‘Introduction to Data Protection for Staff’ training session provided by the DPU;

or

b) the online ‘Data Protection for Staff’ course which is available through DCU Loop;

or

c) any other form of personal data protection training (please elaborate).

Yes / No (Delete as appropriate)

When?

7 When is work on the project likely to begin?

8 When is the project expected to be completed?

9 What is the objective / purpose of the project? The objective / purpose of the project is to ….

SECTION B - GDPR PRINCIPLES ALIGNMENT

1) Describe the nature of the proposed data processing

Ref: Question Answer

1.1 Will the project collect, obtain, create or process personal Yes / No (Delete as appropriate)

4 | P a g e

data?

Personal data basically means any information about a living person, where that person either is identified or could be identified, either from the data itself or when combined with other data.

Examples are name, DOB, email address, phone number, residential address, physical characteristics, location data, CCTV, voice or image recordings etc.

1.2 List the different types/categories of personal data to be used.

The types/categories of personal data collected, created or processed (delete as applicable) consist of the following:

a) …b) …c) …

1.3 Will the project collect, create or process any ‘Special / Sensitive’ personal data?

Personal data can in practice be divided into two categories i.e. ‘normal personal data’ and ‘sensitive/special personal data’.

Sensitive/Special personal data is data related to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health (physical and/or mental), data concerning a person’s sex life or sexual orientation or data relating to criminal convictions or offenses.

Yes / No (Delete as appropriate)

If ‘Yes,’ please indicate which of the categories listed below will be used in the project (delete those which do not apply).

- racial or ethnic origin- political opinions- religious or philosophical beliefs- trade union membership- genetic data- biometric data- data concerning health- data concerning a natural person's sex life or sexual orientation - data relating to criminal convictions or offenses

5 | P a g e

‘Processing’ is very broadly defined and covers the entire life cycle of data from beginning to end.

1.4 Will the project involve any of the following types of processing:

a) evaluating or predicting outcomes in individuals;b) decision making by any automated means;c) monitoring the behaviour of individuals;d) the surveillance of individuals;e) use of biometric technology (e.g. fingerprinting or facial recognition); f) using location data about individuals; &g) profiling of individuals

The above items are deemed to be examples of ‘High Risk Processing’ activities.

Yes / No (Delete as appropriate)

If ‘Yes’ please list the relevant types of processing here.

1.5 From what source(s) will the project collect or otherwise obtain the personal data?

Note this includes any personal data created during the project e.g. where two or more anonymous datasets are combined to create one dataset of personal data. Please list all sources.

The personal data will be obtained from ….

or

The project will create personal data by …

(Delete as appropriate)

1.6 What is the expected number of project participants whose data will be obtained and/or processed in the project?

How many 1 to 20, 21 to 50, 51 to 100, Over 100, Over 200 etc.

The number of project participants whose data will be obtained and/or processed as part of the project is expected to be ….

1.7 Will the project process data relating to minors or Yes / No (Delete as appropriate)

6 | P a g e

vulnerable individuals?

A minor is defined as an individual below 18 years of age (where the processing relates to ‘electronic marketing’ the age limit is reduced to 16 years).

A vulnerable individual may be anyone who is unable to consent to, or oppose, the processing of his or her data for any reason.

Both of the above definitions are of particular importance if the project compels the provision of data from individuals.

1.8 Describe how the personal data will be processed.

When doing so please consider the following:

a) what is the data flow (i.e. from obtaining the data, its processing within the project, to its final output or destination);b) the frequency of the intended processing; and c) the duration of the processing.

2) Lawfulness of the proposed data processing

To legally process personal data, a legal basis upon which to do so must be established. This section of the DPIA (i.e. # 2) deals with establishing the relevant legal basis to be invoked.

7 | P a g e

There must be at least one legal basis established for processing personal data. However, when processing ‘Special’ or ‘Sensitive’ personal data an additional legitimizing condition, from a prescribed list, is required. Without one of those conditions being met then the processing of special or sensitive data is expressly prohibited under law. The available legitimizing conditions for processing special or sensitive data are addressed in sub-section (B) below. Sub-section (A) below deals exclusively with establishing a legal basis for the processing of the personal data.

Sub-section (A) – Establishing a legal basis to process Personal DataSee definition of Personal data in section reference (1.1) above. From the panel options listed below at (2.1) to (2.6) select the applicable legal bases you believe are appropriate for the personal data to be processed or used in the project by selecting ‘Yes’ or ‘No’. Where you have selected ‘Yes’, indicate in the ‘Additional Comments’ panel why you have done so.

For additional guidance see GDPR Article 6 (1)

Ref Applicable Legal Basis Yes No Additional Comment

2.1 The project is based on consent, where the individuals concerned have given their clear consent for the project to use their personal data for a stated purpose.< GDPR Art. 6 (1) (a) >

The purpose is usually stated by means of a ‘Data Privacy Notice’ or ‘Plain Language Statement’. Please note that consent should not be used if there is another alternative available as if consent is withdrawn then all processing must also cease.

2.2 The project is being undertaken based upon a contract with the individual(s) and the processing is necessary to fulfil the terms of that contract. < GDPR Art. 6 (1) (b) >

8 | P a g e

An example would be an employment contract.

2.3 The project is being undertaken because of a legal obligation on the University not linked to a contract at 2.2 above.< GDPR Art. 6 (1) (c) >

An example would be to comply with legislation such as payroll taxes or health and safety law.

2.4 The project is being undertaken so that the University can perform a task in the public interest or because of an official function bestowed on the University by the State.< GDPR Art. 6 (1) (e) >

An example would be non-health related research, as provided for under the Universities Act 1997.

2.5 The project is being undertaken based upon a legitimate interest of the University and is necessary to perform that interest. < GDPR Art. 6 (1) (f) >

In practice this legal basis will be rarely, if ever, used in a DCU context.

This is because a public body such as DCU cannot use ‘legitimate interest’ to process personal data if the data is being processed in regard to one of its ‘Official Tasks’. There are however exceptions - see further guidance at this link.

2.6 The project is being undertaken to protect the ‘Vital Interests’ of an individual or group of individuals i.e. to

9 | P a g e

protect their lives and / or to prevent harm to their wellbeing. < GDPR Art. 6 (1) (d) >

In practice this legal basis will be rarely, if ever, used in a DCU context.

This basis should not be used if another more applicable basis may do so. The processing must be necessary as opposed to optional. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. You cannot rely on the basis of ‘vital interest’ for health data, or any other special or sensitive category of data, if the individual is capable of giving consent, even if they refuse their consent. If you rely on this basis document the circumstances where it will be relevant and ensure you can justify your reasoning.

Sub-section (B) – Where ‘Sensitive’ or ‘Special’ Personal Data is to be processedWhere ‘Special’ or ‘Sensitive’ personal data is to be processed, in addition to invoking at least one of the legal bases set out in the panels above in sub-section (A), one of the additional legitimizing conditions set out below must also be invoked. The ones listed are the most likely to arise in a university context, but there are others (see Article # 9 of GDPR).

Please select the basis you believe is appropriate for this category of personal data by selecting ‘Yes’ or ‘No’ from the options listed below in sections referenced (2.6) to (2.10).

Where you have selected ‘Yes’, indicate in the ‘Additional Comments’ panel why you have done so.

‘Special’ or ‘Sensitive’ personal data is defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

10 | P a g e

Ref Applicable Legitimizing Condition Yes No Additional Comment

2.6 The project is based on the informed, explicit, unambiguous, freely given and documented consent of the individual(s) concerned to have their personal data used for a defined and specified purpose only.< GDPR Art 9 (2) (a) >

The purpose is usually stated by means of a ‘Data Privacy Notice’ or ‘Plain Language Statement’ which the individual has signed or has otherwise provided their documented assent. Please note that consent should not be used if there is another alternative available as if consent is withdrawn then all processing must also cease.

2.7 The project is being undertaken for reasons of substantial public interest, which has a basis in law. < GDPR Art. 9 (2) (g) >

2.8 The processing relates to personal data which has been manifestly made public by the individual(s) to whom it belongs. < GDPR Art. 9 (2) (e) >

2.9 The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.< GDPR Art. 9 (2) (j) >

2.10 The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the

11 | P a g e

working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law.< GDPR Art. 9 (2) (h) >

3) Transparency & Awareness Ref: Question Answer

3.1 How will the individuals, whose data is to be processed by project, be made aware of the intended processing?

Individuals must be informed as to how their data is to be processed. This may be achieved by setting out basic information such as the identity of the parties who carry out the processing (e.g. DCU and maybe others) and the purposes of the processing. In a research project this can be achieved by use of ‘Consent Form’ in combination with a ‘Plain Language Statement’. In other cases a ‘Data Privacy Notice’ or ‘Data Protection Statement’ may be provided.

Please provide copies of communication, in whatever format, which has or will provided to the individuals whose data will be used in the project.

3.2 Will the data be shared with, or processed by, a third party? If yes please list all parties involved.

In this context a third party is any other party other than DCU and the individual or organisation that will provide the data to be used in

Yes / No (Delete as appropriate)

The third parties involved in the project are ….

12 | P a g e

project. Typical examples are other collaborators in a research context, or where any element of the data processing is to be outsourced (e.g. the storage of data in a cloud provider, translation services etc).

3.3 Where the data is to be shared or processed by a third party have the individuals who own the data been informed of this intention?

If not, why were they not informed?

Please provide copies of communication, in whatever format, which has or will provided to the individuals.

Yes / No (Delete as appropriate)

3.4 Is it likely or possible that the individuals to whom the data belongs would be surprised to know that their data is to be processed by the project for the reasons, or in the manner, stated?

Yes / No (Delete as appropriate)

3.5 Have the DCU members of staff who will be involved in the project received or taken any recent training in data privacy or GDPR?

Training can be provided by DPU on request or alternatively the staff may access the online Data Protection Course for Staff available on Loop.

Yes / No (Delete as appropriate)

4) Reuse of Existing Data Ref: Question Answer

4.1 Will the project reuse data already available, to hand or originally obtained for another purpose?

Yes / No (Delete as appropriate)

The project will ….

13 | P a g e

This question is relevant in for all projects but especially so in the case of research proposals which intend to reuse data for new research.

4.2 If the answer to (4.1) above is yes, for what purpose was the data originally obtained?

4.3 Will the project combine two or more anonymous (or pseudo-anonymous) datasets in such a way as to create a new dataset containing information about individuals that can no longer be considered anonymous?

In effect you will be creating, by ‘Reverse Engineering’, a new dataset of personal data as opposed to merely one with information that cannot be linked to a living individual i.e. it is no longer ‘fully anonymous’.

5) Ensuring the accuracy of the Personal Data being processed

Ref: Question Answer

5.1 How will the project ensure that the personal data being used is reasonably accurate and up to date?

Relevant matters to consider are whether the data is being obtained from individuals directly or through an intermediate party, whether existing datasets are to being reused, or the length of time between the original data collection and its processing within the intended project.

5.2 Briefly describe the consequences, for both the individuals who own the data and the University, if the data to be used in the project is

Potential consequences for an individual are ….

14 | P a g e

found to be out of date or inaccurate.

Consider whether it will cause any legal, financial, reputational or social harm to the individual or the University.

Potential consequences for the University are ….

6) Assessing the necessity of the proposed data processing

Ref: Question Answer

6.1 Is it essential to the project that it obtains and / or processes all of the categories of personal data as listed in your answer to section (1.2)?

It may be the case that some or all of the data can be fully anonymised before use by the project without substantially affecting the aim or purpose of the project.

Yes / No (Delete as appropriate)

6.2 Will the project require the contacting of individuals in a manner that they may find intrusive?

This could include unsolicited:- Emails- Survey requests- phone calls- text messages- Social media prompts etc.

Yes / No (Delete as appropriate)

6.3 Where any element of the processing of data is being outsourced to an external party have you considered whether this service can be provided by DCU instead?

Yes / No (Delete as appropriate)

15 | P a g e

6.4 Will information about individuals be disclosed to organisations or people who have not previously had routine access to that information?

This could be case where the project requires the services of an external agent or organisation to assist in the processing of personal data in any way.

Yes / No (Delete as appropriate)

6.5 In preparing this DPIA did you consult with the relevant project stakeholders and who were they?

Internal examples in a DCU context might be your Unit’s GDPR Data Advocate, or ISS or Procurement or Research Support Services.

External examples might be any 3rd party processors, research collaborators, the Irish Data Protection Commissioner or the Health Research Board.

Yes / No (Delete as appropriate)

The project’s stakeholder are …..

6.6 Are the project’s stakeholders (e.g. the individuals who own the data, plus any other third parties) likely to have any privacy concerns about the project?

Please elaborate on why you believe ‘Yes’ or ‘No’ is the appropriate answer to the above question.

Yes / No (Delete as appropriate)

The reason being……

7) Data Security

Ref: Question Answer

16 | P a g e

7.1 Describe in detail the security measures that will be taken to protect the data within the project.

Protection means safeguarding the data from accidental or malicious loss, destruction, alteration, damage or the publication / disclosure of the data without authorisation.

Typical measures include:- Pseudo anonymization of the data- Encryption of devices used to store or transmit data- Access controls to the data- Hierarchy of access depending upon degree of sensitivity of

data- Data sharing restrictions- Project team training in data protection- Regular & tested backups of the data

7.2 Will the project expose the personal data to an unusual level of security risk?

Examples are - processing or transfer of data while using unencrypted devices- data being shared with another unit of the University for any

purpose.

Yes / No (Delete as appropriate)

If ‘Yes’ please elaborate on the nature of the risks.

7.3 If, as part of the project, the data is to be processed or shared outside of the University has a ‘Data Processing (or Sharing) Agreement’ being put in place with that external party?

The DPU can be contacted to advise on the appropriate form of agreement to put in place, should one be necessary.

Yes / No / Not Applicable (Delete as appropriate)

If ‘Yes’ please elaborate on the nature of the relationship.

17 | P a g e

7.4 Will the project involve the sharing or processing of personal data outside the EU or the EEA?

e.g. the data being transferred / shared with a party outside of the EU or the EEA i.e. the European Economic Area (the EU plus Norway, Liechtenstein and Iceland)

8) Data Retention

Ref: Question Answer

8.1 For how long will the project retain or keep the personal data?

In general, personal data may only be held by the University for so long as it has a use or purpose (which must be the same as the one for which the data was originally obtained). There are exceptions to this general principle which the DPU can advise on.

8.2 What plans do you have in place to delete or erase the personal data used by the project once its retention period has been exceeded?

The means of erasing or deleting the data will depend upon the medium in which it is held e.g. hard copy (paper) or electronic (e.g. on an IT system). It may also be possible to fully anonymise the data at the end of the retention period as an alternative to deleting it.

18 | P a g e

9) Catering for the data rights of individuals

Ref: Question Answer

9.1 Please describe the arrangements within the project to cater for the following legal rights of the individuals who own the data:

- right of a copy to their data (aka ‘Data Access Request)- right to correct mistakes within the data- right to erase their data on request- right to object to processing of their data (where based

on consent or legitimate or public interest)- right to have their data transferred to another

organisation (i.e. Data Portability)- right to object to profiling or automated decision

making.

While the above are legal rights but they are not absolute. There are exceptions to some which the DPU can advise on.

9.2 Will the data processing in itself prevent individuals from exercising a right under GDPR, or from using a service, or exercising a contract?

a) An example could be a large-scale or extensive processing operation (e.g. CCTV) which aims to process a considerable amount of personal data at a regional, national or supranational level which could affect a large number of data subjects and which is likely to result in a high risk to their rights and freedoms.

19 | P a g e

or

b) it could also include data processed for taking decisions regarding individuals following a systematic and extensive evaluation of the personal aspects relating to them based on profiling, especially of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures.

SECTION C – HEALTH RESEARCH

Health research involving personal data is a specific category of data processing that requires particular scrutiny and compliance with Health Research Regulations. To assist in determining whether the project qualifies as health research please consider the indicators in the table below.Indicator of health research Yes / No

(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;

(ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;

(iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;

(iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;

20 | P a g e

(v) research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;

Section 3(2) (b) Health research referred to in clause (i) to (v) of subparagraph (a) may include action taken to establish whether an individual may be suitable for inclusion in the research.

SECTION D – RISK ASSESSMENT & MITIGATION

This section is for completion by the Data Protection Unit

This section summarises the significant data protection risks of the project as identified by the DPU after its review of sections (A), (B) & (C) above. As already stated the primary purpose of the DPIA is to identify and mitigate the data protection risks related to a project. Such risks may relate to the rights of a Data Subject as well as non-compliance with data protection legislation in general. Where a risk is identified an assessment of its potential likelihood and impact is made to determine whether the risk is high, medium or low after consideration of any identified controls or solutions already implemented (i.e. a residual risk model) within the project.

Where, in the opinion of the DPU, additional controls or solutions are required for each risk these tailored recommendations are to be documented and communicated back to the Project Lead (i.e. the Head of Unit or Principal Investigator) for incorporation into the project plan. Where the recommendations are not accepted by the Project Lead, the DPU must document this and have the Lead explain why.

Ref Identified RiskPotential Impact

(Note 1)

Potential Likelihood(Note 1)

Risk Weighting

H/M/L(Note 2)

DPU Recommendations

1 Begin here ….

21 | P a g e

23456789

10

Note 1 – Key to Impact & Likelihood

Level Impact Likelihood1 Minor Rare2 Limited Unlikely3 Serious Possible4 Very Serious Likely5 Catastrophic Occurring or almost certain to occur

Note 2 – Key to Risk WeightingThe risk weighting value is obtained by multiplying the value for ‘Impact’ by the value for ‘Likelihood’ based on the key above. This results in a range of values from 1 – 25 and the key below determines whether the risk is to be rated as High, Medium or Low.

Range Priority16 – 25 High

22 | P a g e

8 - 15 Medium1 - 7 Low

DPU Staff Member Sign OffReviewed By

Date of review

DID the DPO review and approve?

Did the Project Lead accept the recommendations?

DisclaimerThe material contained in this DPIA is for general information purposes only and does not constitute legal advice. It is not intended to provide a comprehensive or detailed statement of the law pertaining to Data Privacy. No liability whatsoever is accepted by Dublin City University for any action taken or not taken in reliance on the information contained in this DPIA. You should not act, or refrain from acting, on the basis of information provided in this DPIA. You should always seek specific legal or professional advice. Any and all information in this DPIA is subject to change without notice.

Version Control

Document Name DPIA - Step # 2 - Process, Risks and RecommendationsVersion Reference V1.0Author Risk & Compliance OfficerApproved by Data Protection OfficerDate 11th June 2020

End.

23 | P a g e