Accountability

Alongside the data protection principles listed above, the GDPR includes a requirement that data controllers can demonstrate compliance with those principles.

There is also a requirement to implement what the GDPR calls ‘data protection by design and by default’. This introduces an obligation to show that data protection has been treated as a fundamental principle in the design and operation of data processing activities and systems.

Privacy Impact Assessments

An important tool in implementing and demonstrating data protection by design is a Privacy Impact Assessment (PIA) (also referred to as a ‘Data Protection Impact Assessment’ (DPIA)). These are already encouraged by the ICO as a good way of meeting obligations under the DPA, although they are not currently a legal requirement.

Under the GDPR, PIAs will be mandatory for new processing activities that are likely to result in a high risk to the rights and freedoms of individuals, particularly where new technologies are being used. The GDPR states that, although not limited to the following situations, this will particularly apply to:

Currently, the University’s policy is that a PIA should be completed at the outset of any project, or change to an existing system or process, that will involve the collection or handling of personal data. The University’s PIA template, along with further information about the process, is available here.

Also see the ICO’s webpage on accountability and governance, the Article 29 Data Protection Working Party’s guidance on Data Protection Impact Assessments under the GDPR and Articles 5(2), 25, 35 and 36 of the GDPR.