GDPR: Say Hello to Data Protection Impact Statements

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 24th of November, with our Senior Data Protection Consultant Justyna Suldecka, LLB (Hons). This session was centred around: the legal position and why DPIAs are a requirement; the importance and benefits of DPIAs; and DPIAs in practice.

What Is a DPIA? 

In very simple terms, it is a risk assessment on your data protection.

The process enables your school to identify and address data protection concerns and risks before engaging a new provider, system, or technology.

You are already familiar with risk assessments. They are embedded into your day-to-day school life; whether that’s in the office, in the classroom or on trips out with pupils.

So, DPIAs are exactly that – but with more of a data protection twist to them!

If possible, we recommend your data protection lead and/or DPO conduct the DPIAs. DPOs must be heavily involved in this process as DPIAs won’t be valid without the DPO’s signature.

Why Conduct a DPIA? 

The law (Article 35 of the UK GDPR) states that DPIAs are a requirement for any high-risk personal data operations. These include:

• a new technology will be used

• sensitive personal data will be shared

• data subjects are vulnerable

• large amounts (or large scope) of personal data will be used

• research may be involved

• CCTV or other surveillance will be undertaken

Raising awareness with staff that they need to consider data protection before utilising a new provider will ultimately lead to the question - how? Your DPO can remind and guide staff through the DPIA process.

What Does High Risk Mean?

It is about the potential for any significant physical, material or non-material harm to individuals. In a school setting an example of this might be sharing data regarding a looked-after child with a new individual or organisation.

It is important to conduct DPIAs as best practice. Whether you already know if a technology will be high risk or not, a DPIA will allow you to look at more than only the legal compliance aspect and arguably boost your relationship with the key stakeholders should a data protection query arise.

Examples of High-Risk Data: 

1. Introducing a new software to log safeguarding concerns. This is high risk because of the data being inserted into the technology and therefore requires a high risk DPIA submitted to the ICO.

2.  Utilising a third party to provide tuition, enabling extra support for students at your school. Potentially less high risk but the amount of data might be high.

3.  Adopting a fun App for pupils to utilise to complete their homework which may seem to be a smaller risk, but what if the App has a feature to upload videos or images? This would pose a higher risk.

What are the Benefits of Conducting High-Risk DPIAs? 

DPIAs allow data protection to be factored into decision-making.
 
They allow schools to take into account any measures to mitigate risk or adverse effects, or something that may lead to a data breach. Another benefit to conducting DPIAs appropriately, is of course the obvious = compliance with the law!
 
Reviewing your DPIAs allows you to check whether the goalpost has shifted, such as a change in the provider’s privacy notice or even a change in the law.
 
Your DPO should identify any upcoming legal changes that could affect your school in advance.

DPIAs In Practice: 

What is the Process? And when do we complete DPIAs?

NB: BEFORE implementing a new system, technology, or provider.

What do we include?

There is no set rule and what is necessary varies depending on the technology and use of the data.
 
Your DPO can help walk you through what is required for the particular DPIA. We have a number of pre-populated DPIAs that we can help your school to complete and tailor to your requirements.
 
The ICO also provide guidance on essentials such as the assessment of necessity to use this provider and the proportionality of it.

Who should you consult?

Again, this depends on the project you are going to undertake, but some key individuals to remember are:

•  Your internal data protection contact.

• Your DPO!

• In some instances, you may need to consult the data subjects (the people whose data will be used – whether that is parents, pupils or staff).

• Your IT provider to ensure data can be shared securely.

• Depending on the activity, e.g., CCTV, you may need to consult your neighbouring parties.

Key Points to Take Away: 

1. Consult your DPO if you are unsure whether a DPIA should be conducted.

2. Ask your DPO for input.

3. Conduct DPIAs before you share data.

4. Make sure your DPIA includes some key information such as description of processing, steps taken to mitigate risks, impact on data subjects, and assessment of risks.

5. Assess necessity and proportionality

6. Sign and date the DPIAs to ensure they will be valid. Remember the DPO must sign too!

7. Review DPIAs when processing changes, or annually as best practice.

Helpful Information: 

ICO DPIA information and sample template: 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, governors and other schools’ leaders to monitor GDPR compliance; and to assist you manage your data protection.

You can also find information regarding our Data Protection service for Schools and MATs click here.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.