The Information Commissioner’s Office (ICO) have recently updated their GDPR guidance, specifically in relation to Data Protection Impact Assessments (DPIAs). They have also expanded their guidance on contracts, and introduced guidance on the roles of controllers and processors.
In accordance with the ICO’s guidance a DPIA must:
• describe the nature, scope, context and purposes of the processing;
• assess necessity, proportionality and compliance measures;
• identify and assess risks to individuals; and
• identify any additional measures to mitigate those risks.
A DPIA is useful for identifying and minimising the risks of a project. If your DPIA identifies a high risk and you cannot take measures to reduce that risk, you must consult the ICO. You cannot begin data processing until you have done so.
• monitoring publicly accessible places;
• tracking the location and behaviour of individuals;
• collecting or processing personal data;
• comparing personal data with data from other sources;
• profiling or engaging children for marketing purposes; or
• processing data that might endanger the individual’s physical health or safety in the event of a security breach.
The full details can be found in their guidance here.
A controller may appoint a ‘processor’ to process the data on their behalf. Whenever a controller uses a processor, there must be a written contract (or other legal act) in place between them which sets out their respective responsibilities and liabilities. The ICO guidance sets out what should be included in that contract, in order to comply with GDPR, and the liabilities that the parties may face. The revised guidance can be found here.
The updated guidance also includes helpful checklists to help determine who the data controller is and who the data processor is. For instance, if you engage a catering company or IT supplier they are likely to be considered a processor. It is worth checking if your school has GDPR compliant contracts in place with these processors, and if not, schools should consider putting these in place as soon as possible.
If you would like any further advice, please contact Paul Watkins at firstname.lastname@example.org