16. Data Protection Impact Assessments (DPIA)
16.1. The GDPR introduce a new requirement to carry out a risk assessment in relation to the use of Personal Data for a new service, product or process. This must be done prior to the processing via a Data Protection Impact Assessment (“DPIA”). A DPIA should be started as early as practical in the design of processing operations. A DPIA is not a prohibition on using Personal Data but is an assessment of issues affecting Personal Data which need to be considered before a new product/service/process is rolled out. The process is designed to:
16.1.1. describe the collection and use of Personal Data;
16.1.2. assess its necessity and its proportionality in relation to the purposes;
16.1.3. assess the risks to the rights and freedoms of individuals; and
16.1.4. the measures to address the risks.
16.2. A DPIA must be completed where the use of Personal Data is likely to result in a high risk to the rights and freedoms of individuals. The ICO’s standard DPIA template is available from www.ico.org.uk.
16.3. Where a DPIA reveals risks which are not appropriately mitigated the ICO must be consulted.
16.4. Where the College is launching or proposing to adopt a new process, product or service which involves Personal Data, the College needs to consider whether it needs to carry out a DPIA as part of the project initiation process. The College needs to carry out a DPIA at an early stage in the process so that the College can identify and fix problems with its proposed new process, product or service at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
16.5. Situations where the College may have to carry out a Data Protection Impact Assessment include the following (please note that this list is not exhaustive):
16.5.1. large scale and systematic use of Personal Data for the purposes of Automated Decision Making or Profiling (see definitions above) where legal or similarly significant decisions are made;
16.5.2. large scale use of Special Categories of Personal Data, or Personal Data relating to criminal convictions and offences e.g. the use of high volumes of health data; or
16.5.3. systematic monitoring of public areas on a large scale e.g. CCTV cameras.
16.6. All DPIAs must be reviewed and approved by the Data Protection Officer.