• Contact Us

Does Your School Know How to Carry Out a Data Protection Impact Assessment?

on Wednesday, 06 December 2017.

Accountability is a term frequently used in the context of preparations for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018. This is because the GDPR not only requires compliance but a demonstration of that compliance.

What Is a Data Protection Impact Assessment?

A key part of this is assessing the data protection risks raised by your school's handling of personal data and carrying out a Data Protection Impact Assessment (DPIA) - also known as Privacy Impact Assessments - when required.

DPIAs are not entirely new because they are currently best practice before starting particularly high risk types of processing, eg before introducing CCTV cameras. However, it would not be unusual if your school has never undertaken a DPIA before, because they are not currently mandatory.

Under the GDPR you must assess the data protection risks relevant to your school's activities in order to determine the appropriate measures to put in place to be data protection compliant. Where the processing of personal data will result in a high risk to the rights of individuals your school must carry out a DPIA.

How Do We Carry Out a DPIA?

There are four essential stages to a DPIA:

  • a description of the proposed use of personal data and the purposes of this use

  • an assessment of the necessity and proportionality of the use of personal data

  • an assessment of the risks to the rights of the individuals affected

  • the measures envisaged to address the risks and demonstrate compliance with the GDPR

When Should We Carry Out a DPIA?

The European Union Article 29 Working Party's guidelines set out criteria to consider when assessing if a processing activity should be considered 'high risk'. The criteria include:

  • the use of special category personal data (eg medical)

  • using the personal data of vulnerable individuals (eg children)

  • systematic monitoring (eg the use of CCTV)

As a general guide if two criteria are met then the activity is likely to constitute a high risk to the rights of individuals and thus require a DPIA.

When conducting a DPIA your school should involve the relevant staff (e.g. HR director, IT director) and consult with the affected individuals (e.g. staff, parents and pupils).

DPIAs will need to be frequently reviewed and kept updated. For example, the activity which is subject to the DPIA may slightly change and present new risks as a result. Your school will also need to review all uses of personal data on a regular basis to check whether any activity has started to present high risks to individuals and therefore requires a DPIA.

The EU Article 29 Working Party's guidelines on DPIAs is just one example of the guidance which is being developed by regulators in the run up to May 2018. To give schools peace of mind that they are up to date with the latest developments in data protection law, we have developed a data protection module of our Compliance Toolkit. This is a monthly updating service which lets schools know about the latest developments and how they impact on the school compliance framework.


If you would like to know more about the data protection module, please contact Claire Hall, in our Data Protection team, on 0117 314 5279.

Leave a comment

You are commenting as guest.