A key thing about the GDPR is its focus on Privacy by Design (accountability) - Article 35(1) of the GDPR mandates that you carry out a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.
As such, schools should embed data protection into the development of new processes, systems and undertake DPIAs. You should also consider carrying out a DPIA on any existing processes or systems that process special category data.
Don’t run for the hills - they may sound complicated, but they really aren’t.
A DPIA is a great way to ensure that you consider personal data and how the rights of the data subjects will be met as part of any new policies you implement or project you undertake in school.
Here’s a high-level outline of what the ICO says:
A DPIA is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies.
- Conducting a DPIA involves working with people within the organisation, with partner organisations and with the people affected to identify and reduce privacy risks.
- The DPIA will help to ensure that potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- Conducting a DPIA should benefit organisations by producing better policies and systems and improving the relationship between organisations and individuals.
When you start something new you know what you want to achieve.
For example, your school wants to introduce Welsh as a mandatory language for all students. To plan the implementation of this you will consider things such as:
- Who will teach Welsh in school?
- Do you have available/suitable classrooms?
- What resources you need and how will you fund them
- The need to offer exams
And so on…
Personal data will be used throughout the above process and as such performing a DPIA will help you identify potential privacy risks and thus minimise, and in some cases, remove those risks.
You simply need to make sure you have covered all bases to ensure you mitigate any risks associated with what you want to do.
There are many tools that can guide you through completing a DPIA and make the process less onerous, GDPRiS is designed specifically for schools and will help you:
- Carry out consistent, comprehensive DPIAs with confidence using our integrated DPIA tool
- Identify data security risks and determine the likelihood of their occurrence and impact
- Quickly find, review and update DPIAs when changes in processing activities occur
- Collaborate and share DPIA findings with stakeholders and data processors
- Easily demonstrate measures taken for GDPR compliance, essential to help you meet Article 35 requirements
- Avoid unnecessary work with screening questions to determine if a DPIA is required
- Reduce errors and ensure completeness using a tool aligned with the GDPR and ICO’s (Information Commissioner’s Office) requirements