One of the most important documents for the University in complying with GDPR is the ‘Data Protection Impact Assessment’(DPIA). It is a legal requirement where any data processing is likely to result in a high risk to individuals and good practice for any project involving the processing of personal data.
If you are starting a new project or changing the way you use staff, student, or customer data then you need to carry out a DPIA.
Fill out the template and send it back to the Data Protection Officer at firstname.lastname@example.org The DPO may ask for further information and provide advice and recommendations. If the project is particularly large-scale or high-risk senior management input and approval may be required.
Tips for completing a Data Protection Impact Assessment (DPIA)
- Describe what the project does with personal data in detail, especially the flow of the data - what data is collected? where/how do you collect it? what system is used? who are you sharing it with? are you using a third-party to provide any hosting or software? what areas do you think are high risk, either in the data itself or in the process?
- One of the complex areas of the GDPR is determining a legal basis for processing the personal data. Consent is rarely the legal basis the University uses. Start with 'are we required by law to do this?' if no 'is it required to fulfil our contract with someone?' if no, 'is it required to fulfil the University's official powers to teach, research and award degrees?' if no, 'what legitimate interest is it meeting?' Think about these questions and liaise with the data protection team and we can get this covered.
- The GDPR gives people whose data you are working with a right to be informed about how it is being used. We have a number of privacy notices in place at the University but consider how you will let people know, particularly if it is a new type of service. Could you add a specific message on the website where people sign up or include contact details for more information?
- At the beginning of a project, you are often very focused on getting everything planned and launched. On the DPIA try and think about the end of the project and after. Will you need to delete the data? Will you be passing it onto another department or repository? How long do you need to keep it for?
- Don't worry if you are unsure about any of the sections on our template, just ask - we will work with you to make sure the DPIA supports both your project and the University's wider compliance requirements.