A DPIA (data protection impact assessment) is a type of risk assessment that ensures any new projects that involve the processing of personal data, such as the use of new software, consider the data subjects and how their data will be protected. If a process poses a high risk to the rights and freedoms of the data subjects or involves the processing of children’s data, then, under the GDPR, a DPIA is required.
What is a DPIA?
A DPIA is a way to assess and hopefully mitigate any risks to personal data that a new processing activity could introduce. It is an opportunity to understand how the personal data will be used, who will have access to it and how it will be protected.
When might a DPIA be needed in school?
Any new project that involves the processing of personal data may need a DPIA. This includes new manual processes as well as new software. Examples include implementing a new management information system, any new software that uses biometrics, and collecting health data for COVID-19-related activities, including testing.
What are the benefits of a DPIA?
While it might seem like an additional step that takes time and resources, there are benefits for both the school or trust and the data subjects. Let’s take a look at the three main benefits of conducting a DPIA:
Data subjects are protected from the outset An important part of the DPIA is reviewing how the data will be processed, any risks this poses and how these risks can be mitigated. If a risk is ‘unauthorised access to the data’, then mitigating measures could include applying security measures such as access control and two-factor authentication. If the DPIA finds that the risks to the data are too high and cannot be mitigated, then the school must consult the ICO (Information Commissioner’s Office) before going ahead with the project. For a new software system, especially online or Cloud software, the DPIA should also examine the supplier’s involvement in the processing and their ability to protect personal data.
Engages all relevant stakeholders For some new processing, such as the use of biometrics, the data subjects themselves need to be consulted before the system is implemented. And for all new systems, involving relevant people across the organisation will ensure a smooth implementation and buy-in. Consulting your IT team about the suitability of the school or trust’s infrastructure to run a new system, speaking to staff about what training they might need and explaining why new systems are being reviewed will help them feel involved and identify issues you may not be aware of.
Raises awareness of data protection and supports data protection by design Data protection by design ensures that protecting data is a consideration from the outset and the DPIA process is an important step in this. Following the DPIA process and involving the wider organisation helps everyone to see that data protection is taken seriously and to feel confident when new systems are introduced.
Download our free green paper – A Concise Guide to DPIAs for Schools
Luke Irwin is an award-nominated writer in the information security field. He has a technical background, obtaining a master's degree from Nottingham University in 2016, and has had work featured in numerous online publications.