Data Protection Impact Assessment (DPIA)

 

Updated January 2022

We do not currently require DPIA across our website or resources. As part of our annual review or a new project, we confirm whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case we would comply with ICO requirements and cover the following elements. ALl updated or completed DPIA will be uploaded for review as part of our Data Protection and GDPR reviews and actions.- All aspects of the DPIA would follow the following process -

☐ explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;

☐ structured the document clearly, systematically and logically;

☐ written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;

☐ set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;

☐ ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;

☐ explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);

☐ explained how we plan to support the relevant information rights of our data subjects;

☐ identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;

☐ explained sufficiently how any proposed mitigation reduces the identified risk in question;

☐ evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them; 

☐ given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;

☐ attached are any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents;

☐ recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;

☐ agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;

☐ consulted the ICO if there are residual high risks we cannot mitigate