Data Protection Impact Assessment
Last updated: — Version 1
Overview
This page provides a high-level summary of the Data Protection Impact Assessment (DPIA) conducted for the NPFS publications platform. The full DPIA is maintained internally and reviewed annually.
Purpose of the assessment
The DPIA was conducted to assess the privacy risks associated with the NPFS website and publications platform, in compliance with Article 35 of the UK GDPR. The assessment covers all personal data processing activities undertaken through this platform.
Data processing activities assessed
- Newsletter subscriptions — collection and processing of email addresses and engagement data for newsletter delivery
- Website analytics — collection of anonymised usage data to understand how the site is used
- Push notifications — browser push notification subscriptions and delivery
- Contact and feedback — any personal data submitted through contact forms or feedback mechanisms
- Authentication — Google Workspace OAuth for administrative users only
Risk assessment summary
The assessment identified the following risk levels:
| Processing activity | Risk level | Mitigation |
|---|---|---|
| Newsletter subscriptions | Low | Double opt-in, easy unsubscribe, minimal data collection |
| Website analytics | Low | Consent-based, anonymised after 26 months |
| Push notifications | Low | Explicit opt-in, easy opt-out, no personal data stored |
| Admin authentication | Low | Google Workspace OAuth, limited to authorised staff |
Measures taken
The following measures have been implemented to mitigate privacy risks:
- Privacy by design and by default applied throughout the platform
- Cookie consent mechanism with granular control
- Double opt-in for newsletter subscriptions
- Data minimisation — we only collect data necessary for each purpose
- Secure data storage within the UK/EEA
- Regular review of data retention periods
- Staff training on data protection obligations
- Incident response procedures in place
Review schedule
This DPIA is reviewed annually or when significant changes are made to the platform's data processing activities. The last review was completed in 2026.
Contact
For questions about this DPIA or our data protection practices, please contact admin@npfs.org.uk.